NotCVE - vendor:"Wordpress" product:"Wordpress" version:" <= 2.1.2"

Page 13 of 280 results (0.008 seconds)

CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0

CVE-2017-17093 – WordPress Core < 4.9.1- Stored Cross-Site Scripting via Language

https://notcve.org/view.php?id=CVE-2017-17093

wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site. wp-includes/general-template.php en WordPress en versiones anteriores a la 4.9.1 no restringe correctamente el atributo lang de un elemento HTML, lo que puede permitir que los atacantes realicen ataques Cross-Site Scripting (XSS) mediante la configuración de idioma de un sitio web. • http://www.securityfocus.com/bid/102024 https://codex.wordpress.org/Version_4.9.1 https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a https://lists.debian.org/debian-lts-announce/2017/12/msg00019.html https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8968 https://www.debian.org/security/2018/dsa-4090 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

CVE-2017-17091 – WordPress Core < 4.9.1 - Authorization Bypass

https://notcve.org/view.php?id=CVE-2017-17091

wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string. wp-admin/user-new.php en WordPress en versiones anteriores a la 4.9.1 establece la clave newbloguser a una cadena que se puede derivar directamente del ID de usuario, lo que permite que los atacantes remotos omitan las restricciones de acceso planeadas introduciendo esta cadena. • http://www.securityfocus.com/bid/102024 https://codex.wordpress.org/Version_4.9.1 https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c https://lists.debian.org/debian-lts-announce/2017/12/msg00019.html https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8969 https://www.debian.org/security/2018/dsa-4090 • CWE-285: Improper Authorization CWE-330: Use of Insufficiently Random Values •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

CVE-2017-16510 – WordPress Core < 4.8.3 - SQL Injection due to Double Prepare approach

https://notcve.org/view.php?id=CVE-2017-16510

WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723. WordPress en versiones anteriores a la 4.8.3 se ve afectado por un problema en el que $wpdb->prepare() puede crear consultas inseguras e inesperadas que podrían provocar una inyección SQL (SQLi) en plugins y temas, tal y como se ve en el enfoque "double prepare". Esta es una vulnerabilidad diferente a CVE-2017-14723. • http://www.securityfocus.com/bid/101638 https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html https://codex.wordpress.org/Version_4.8.3 https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d https://lists.debian.org/debian-lts-announce/2017/11/msg00003.html https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release https://wpvulndb.com/vulnerabilities/8941 https://www.debian.org/security/2018/dsa-4090 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0

CVE-2016-9263 – WordPress Core < 4.9.1 - Cross-domain Flash injection

https://notcve.org/view.php?id=CVE-2016-9263

WordPress through 4.8.2, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file. WordPress hasta la versión 4.8.2, cuando no se utiliza el sandboxing flashmediaelement.swf basado en dominios, permite que atacantes remotos realicen ataques de inyección de código Flash en dominios cruzados (XSF) usando código contenido en el archivo wp-includes/js/mediaelement/flashmediaelement.swf. WordPress through 4.9.1, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file. • http://www.securityfocus.com/bid/101294 https://opnsec.com/2017/10/cve-2016-9263-unpatched-xsf-vulnerability-in-wordpress • CWE-20: Improper Input Validation •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0

CVE-2017-14720 – WordPress Core < 4.8.2 - Cross-Site Scripting via Template Name

https://notcve.org/view.php?id=CVE-2017-14720

Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name. Antes de la versión 4.8.2, WordPress permitía un ataque de Cross-Site Scripting (XSS) en la vista de plantilla de lista mediante un nombre de plantilla modificado. • http://www.securityfocus.com/bid/100912 http://www.securitytracker.com/id/1039553 https://core.trac.wordpress.org/changeset/41412 https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release https://www.debian.org/security/2017/dsa-3997 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

1...11 12 13 14 15