Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 484700 (CVE-2013-5738)

Summary: <www-apps/wordpress-3.6.1 : XSS attacks (CVE-2013-{5738,5739})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: tampakrap, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2013-09-12 22:58:04 UTC 
CVE-2013-5739 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5739):
  The default configuration of WordPress before 3.6.1 does not prevent uploads
  of .swf and .exe files, which might make it easier for remote authenticated
  users to conduct cross-site scripting (XSS) attacks via a crafted file,
  related to the get_allowed_mime_types function in wp-includes/functions.php.

CVE-2013-5738 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5738):
  The get_allowed_mime_types function in wp-includes/functions.php in
  WordPress before 3.6.1 does not require the unfiltered_html capability for
  uploads of .htm and .html files, which might make it easier for remote
  authenticated users to conduct cross-site scripting (XSS) attacks via a
  crafted file.


Awaiting cleanup.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2013-12-30 05:17:27 UTC 
Ping!

Maintainer(s), please drop the vulnerable version.
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-01-24 10:16:05 UTC 
All done by radhermit. Closed as [noglsa]