oss-sec mailing list archives
CVE Request -- WordPress (3,4.2): CSRF in the incoming links section of the dashboard
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Tue, 25 Sep 2012 08:46:31 -0400 (EDT)
Hello Kurt, Steve, WordPress Security Team, vendors, an anonymous researcher called 'Akastep' has reported and CSRF flaw being present in the way WordPress of version v3.4.2 and earlier used to process incoming links section / widget of the dashboard. References: [1] http://packetstormsecurity.org/files/116785/WordPress-3.4.2-Cross-Site-Request-Forgery.html [2] https://bugzilla.redhat.com/show_bug.cgi?id=860261 [3] https://bugs.gentoo.org/show_bug.cgi?id=436198 [4] https://secunia.com/advisories/50715/ AFAIK there is not an upstream ticket and patch for this issue yet (but might have overlooked something pretty obvious - WordPress upstream please clarify). Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request -- WordPress (3,4.2): CSRF in the incoming links section of the dashboard Jan Lieskovsky (Sep 25)
- Re: CVE Request -- WordPress (3,4.2): CSRF in the incoming links section of the dashboard Kurt Seifried (Sep 25)