Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 484700 (CVE-2013-5738) - <www-apps/wordpress-3.6.1 : XSS attacks (CVE-2013-{5738,5739})
Summary: <www-apps/wordpress-3.6.1 : XSS attacks (CVE-2013-{5738,5739})
Status: RESOLVED FIXED
Alias: CVE-2013-5738
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-12 22:58 UTC by GLSAMaker/CVETool Bot
Modified: 2014-01-24 10:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2013-09-12 22:58:04 UTC 
CVE-2013-5739 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5739):
  The default configuration of WordPress before 3.6.1 does not prevent uploads
  of .swf and .exe files, which might make it easier for remote authenticated
  users to conduct cross-site scripting (XSS) attacks via a crafted file,
  related to the get_allowed_mime_types function in wp-includes/functions.php.

CVE-2013-5738 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5738):
  The get_allowed_mime_types function in wp-includes/functions.php in
  WordPress before 3.6.1 does not require the unfiltered_html capability for
  uploads of .htm and .html files, which might make it easier for remote
  authenticated users to conduct cross-site scripting (XSS) attacks via a
  crafted file.


Awaiting cleanup.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2013-12-30 05:17:27 UTC 
Ping!

Maintainer(s), please drop the vulnerable version.
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-01-24 10:16:05 UTC 
All done by radhermit. Closed as [noglsa]