oss-sec mailing list archives
Re: CVE Request: WordPress: cross-site scripting vulnerability fixed in new 4.4.1 release
From: cve-assign () mitre org
Date: Fri, 8 Jan 2016 10:38:37 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/WordPress versions 4.4 and earlier are affected by a cross-site scripting vulnerability that could allow a site to be compromised. This was reported by Crtc4L.There is no reference to the fix, but the change seems to be https://core.trac.wordpress.org/changeset/36185 Cf. as well https://twitter.com/brutelogic/status/685105483397619713
Use CVE-2016-1564. This ID applies to the entirety of changeset/36185 (for example, we do not know whether the change involving $this->stylesheet corresponds to a separate discovery). - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWj9b9AAoJEL54rhJi8gl5xCoQAIjZVJGRAEUNc3NK8wGYyKi6 jngwkTCRRaStqGwP5sGuiyAGGHB1kvSnzIn12Ptr2/aXuQszGLXYjNUjO9wp0DUV zHyDHNje+pzaQ+fTmplH+jdqmLWhxfNXI1S691NZ1HzrtqJ3LolrzMgH+XkQKWII iICBqr2xRLhSi7bAoFSKAV0ng4jE2f9IDpi+Eab0DKQHo5JKR5bFobvU6vq0dLhX uQyO/k20thjj4OCw7VXZLfGky1PSy5314ruPaTZwghWTWylX6Vr9pXU8RhobKOYT cGdfC1HHwydcYJOTx5vAAh2QQlobCRY1h35Qdcd1FQjPdSTuuki80+zaPVdpBtOM Oyq1idcHDk+ApWtj15BwSb6ujWlbBcNvWGjQx49WBE0a3o1XIaZmD/LG5QuMFuJi 4FQhSvA2095UTJaa28Vo+DlV4zcZWnxQBgTOQAQ6fZnCKmLePGPTugKaHWWDhlVP LWC4Q5T27x/hTTFaph615V/ttJ09y+ULxwwx4ghbOrn9R6HZ5jFhJ+oNGjN9K72I tVqieqwwPctQKujb7rtIZBakJQRhMQrHB5mlgwN7uwoAfcLu5VbA2IsKWGQtPBwU PoL/wb60/S7sj3Z/KbKj4e28hKn66y/Fh5yL+5hPhpugoVtJqNhObCr5CSGJ5Sdk 7lNVEZxFLFZbtqmfkjrD =MSDs -----END PGP SIGNATURE-----
Current thread:
- CVE Request: WordPress: cross-site scripting vulnerability fixed in new 4.4.1 release Salvatore Bonaccorso (Jan 08)
- Re: CVE Request: WordPress: cross-site scripting vulnerability fixed in new 4.4.1 release cve-assign (Jan 08)