oss-sec mailing list archives
Possible CVE Request: Wordpress 4.1.2 security release
From: Salvatore Bonaccorso <carnil () debian org>
Date: Sun, 26 Apr 2015 13:30:00 +0200
Hi I have not seen a request for CVEs for the issues fixed in the recent WordPress security release: https://wordpress.org/news/2015/04/wordpress-4-1-2/
WordPress 4.1.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.1.1 and earlier are affected by a critical cross- site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Cedric Van Bockhaven and fixed by Gary Pendergast, Mike Adams, and Andrew Nacin of the WordPress security team. We also fixed three other security issues: * In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of HSASec. * In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by Jakub Zoczek. * Some plugins were vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team. We also made four hardening changes, discovered by J.D. Grimes, Divyesh Prajapati, Allan Collins, Marc-Alexandre Montpas and Jeff Bowen. We appreciated the responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes.
Could you please assign CVEs to identify the issues fixed by the latest WordPress release? Regards, Salvatore
Current thread:
- Possible CVE Request: Wordpress 4.1.2 security release Salvatore Bonaccorso (Apr 26)
- Re: Possible CVE Request: Wordpress 4.1.2 security release cve-assign (Apr 28)
- Re: Re: Possible CVE Request: Wordpress 4.1.2 security release Hanno Böck (Apr 28)
- Re: Possible CVE Request: Wordpress 4.1.2 security release cve-assign (Apr 28)