oss-sec mailing list archives
Security vulnerabilities fixed in WordPress 3.3.2
From: Henri Salo <henri () nerv fi>
Date: Mon, 23 Apr 2012 11:05:21 +0300
Page http://codex.wordpress.org/Version_3.3.2 says: """ Three external libraries included in WordPress received security updates: - Plupload (version 1.5.4), which WordPress uses for uploading media. - SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins. - SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes. WordPress 3.3.2 also addresses: - Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances. - Cross-site scripting vulnerability when making URLs clickable. - Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs. A full log of the changes made for 3.3.2 can be found at http://core.trac.wordpress.org/changeset?new=20554%40branches%2F3.3&old=20087%40branches%2F3.3 """ I asked from WordPress if these vulnerabilities already have CVE-identifiers and reported these to OSVDB, Secunia and Debian http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670124 - Henri Salo
Current thread:
- Security vulnerabilities fixed in WordPress 3.3.2 Henri Salo (Apr 23)
- Re: Security vulnerabilities fixed in WordPress 3.3.2 cve-assign (Apr 23)
- Re: Re: Security vulnerabilities fixed in WordPress 3.3.2 Kurt Seifried (Apr 23)
- Re: Security vulnerabilities fixed in WordPress 3.3.2 cve-assign (Apr 23)