Page 17 of 83 results (0.004 seconds)

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string. wp-admin/user-new.php en WordPress en versiones anteriores a la 4.9.1 establece la clave newbloguser a una cadena que se puede derivar directamente del ID de usuario, lo que permite que los atacantes remotos omitan las restricciones de acceso planeadas introduciendo esta cadena. • http://www.securityfocus.com/bid/102024 https://codex.wordpress.org/Version_4.9.1 https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c https://lists.debian.org/debian-lts-announce/2017/12/msg00019.html https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8969 https://www.debian.org/security/2018/dsa-4090 • CWE-285: Improper Authorization CWE-330: Use of Insufficiently Random Values •

CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0

wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL. wp-includes/feed.php en WordPress en versiones anteriores a la 4.9.1 no restringe contenedores en los campos RSS y Atom, lo que puede permitir que los atacantes realicen ataques Cross-Site Scripting (XSS) mediante una URL manipulada. • http://www.securityfocus.com/bid/102024 https://codex.wordpress.org/Version_4.9.1 https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de https://lists.debian.org/debian-lts-announce/2017/12/msg00019.html https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8967 https://www.debian.org/security/2018/dsa-4090 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0

wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site. wp-includes/general-template.php en WordPress en versiones anteriores a la 4.9.1 no restringe correctamente el atributo lang de un elemento HTML, lo que puede permitir que los atacantes realicen ataques Cross-Site Scripting (XSS) mediante la configuración de idioma de un sitio web. • http://www.securityfocus.com/bid/102024 https://codex.wordpress.org/Version_4.9.1 https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a https://lists.debian.org/debian-lts-announce/2017/12/msg00019.html https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8968 https://www.debian.org/security/2018/dsa-4090 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •