oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Requests for WordPress 3.6.1

From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 11 Sep 2013 18:28:35 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/11/2013 03:28 PM, Andrew Nacin wrote:

Three issues fixed in WordPress 3.6.1: 
http://codex.wordpress.org/Version_3.6.1

* Unsafe PHP unserialization. CWE-502. 
http://core.trac.wordpress.org/changeset/25325.


Please use CVE-2013-4338 for this issue.


* Open Redirect / Insufficient Input Validation. CWE-601. 
http://core.trac.wordpress.org/changeset/25323 and 
http://core.trac.wordpress.org/changeset/25324.


Please use CVE-2013-4339 for this issue.


* Privilege Escalation: a user with an Author role, using a
specially crafted request, was able to create a post that was
marked as "written by" another user.
http://core.trac.wordpress.org/changeset/25321.


Please use CVE-2013-4340 for this issue.

Perfect request =) Thanks

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSMQqzAAoJEBYNRVNeJnmTiHgQAJUu3dMQMUNUcILBw1vq60wd
VONk5MrHOSZEepUi2RdWQqagH8x9LJMsxu19HcnK/qrGAAy6zXNvq4j9obszT9UV
GMsAU5+OrXCuXvoNMCIofkqabdqXPGbWpw5o+l8I+j71ebOz1th7tH0yye24Badx
y6nUFwYuzrA3x7DL4F3E2ERamGgegUvcwhcpQlUjaeu7TlF6w3Ikq9ZkrJKHOiiz
jvon3WBkAy17ayP093uKbE+zrTrypx+WHoc9ucHdAPmwUgiRDTBPfiTQFaGLdo6P
F6t3zQeaKBKiLKNuGlhmmpEfaMHchjEQTkx4Qjb8E73aOfSXEy0LW1FEhwWrCu9T
O4v8utuqBR3YCOlmJirrCzz7cGtl9LNtW3/U6e12L6DFy9PthcrIgCxObpGJxUlh
JfYFuMQtOFw22srsGJFD1fve7ewzHJb0hw21zTaxh4zggJS/ACEKy5Fnz+89YkFr
D1pXYyD2MBuFlOwqxW8yXnfiIgX1tDWuE9YbbmwM7826iaagYkYlNS1gFVV/Aee1
ze/XOfRZlT2HjhdmKh7gvmTEE1/wJaA7H8LXi/3SuR24F4wfNpryQLx1MdEqSzXL
9GjcFTmdoVwZTOyaavaitCvRoOuopB7hT8SZws0MEHAEi9hFwzVjpokOxFESomki
fAwjXoSgQlfn24LjKakh
=Uj6o
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: