Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 427790 (CVE-2012-3383) - <www-apps/wordpress-3.4.1: Multiple vulnerabilities (CVE-2012-{3383,3384,3385})
Summary: <www-apps/wordpress-3.4.1: Multiple vulnerabilities (CVE-2012-{3383,3384,3385})
Status: RESOLVED FIXED
Alias: CVE-2012-3383
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-23 19:15 UTC by GLSAMaker/CVETool Bot
Modified: 2012-09-06 22:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2012-07-23 19:15:43 UTC 
CVE-2012-3385 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3385):
  WordPress before 3.4.1 does not properly restrict access to post contents
  such as private or draft posts, which allows remote authors or contributors
  to obtain sensitive information via unknown vectors.

CVE-2012-3384 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3384):
  Cross-site request forgery (CSRF) vulnerability in the customizer in
  WordPress before 3.4.1 allows remote attackers to hijack the authentication
  of unspecified victims via unknown vectors.

CVE-2012-3383 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3383):
  WordPress 3.4.0 does not properly restrict access to unfiltered_html when
  multisite is enabled, which allows remote administrators or editors to
  perform cross-site scripting (XSS) attacks.


WordPress 3.3.3 was also released [1] to fix some of these issues in the 3.3 branch.

[1] http://codex.wordpress.org/Version_3.3.3
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2012-08-11 17:15:21 UTC 
=www-apps/wordpress-3.4.1 is in the tree, thanks. Closing noglsa for ~arch only.