oss-sec mailing list archives

Re: WordPress plugins vulnerable to CVE-2013-1808

From: Henri Salo <henri () nerv fi>
Date: Thu, 16 May 2013 18:31:59 +0300

On Thu, Mar 28, 2013 at 03:44:09PM +0000, Christey, Steven M. wrote:

Henri,

It appears that CVE-2013-1463 was previously assigned to an issue that was claimed to exist in WP-Table Reloaded and 
fixed by that module developer, but the attack vector involves the id parameter to js/tabletools/zeroclipboard.swf, 
so this is likely a duplicate.  Can you confirm?

If this is a duplicate, we have an unusual situation for how to resolve it.  The older CVE, CVE-2013-1463, is much 
more widely used than the newer CVE-2013-1808, which would argue for keeping the older CVE-2013-1463.  However, 
because that older CVE focuses on the wrong product, and CVE-2013-1808 is referenced in Red Hat's Bugzilla and thus 
"more authoritative," this would argue for keeping CVE-2013-1808.

- Steve


I'm not sure if wp-table-reloaded used custom version of the zeroclipboard or
not, but by looking at the checksums so did other plugins too. Let's REJECT
CVE-2013-1463 and use CVE-2013-1808.

http://osvdb.org/90374

---
Henri Salo

Attachment: signature.asc
Description: Digital signature

Current thread:

Re: WordPress plugins vulnerable to CVE-2013-1808 Henri Salo (May 16)