NotCVE - vendor:"Wordpress" product:"Wordpress" version:" <= 4.9.8"

Page 22 of 343 results (0.007 seconds)

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0

CVE-2017-6818 – WordPress Core < 4.7.3 - Cross-Site Scripting via Taxonomy names

https://notcve.org/view.php?id=CVE-2017-6818

In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names. En WordPress en versiones anteriores a 4.7.3 (wp-admin/js/tags-box.js), hay secuencias de comandos de sitios cruzados (XSS) a través de nombres de términos de taxonomía. • http://www.securityfocus.com/bid/96601 http://www.securitytracker.com/id/1037959 https://codex.wordpress.org/Version_4.7.3 https://github.com/WordPress/WordPress/commit/9092fd01e1f452f37c313d38b18f9fe6907541f9 https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8769 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 2

CVE-2017-6814 – WordPress Core < 4.7.3 - Cross-Site Scripting via Media Metadata

https://notcve.org/view.php?id=CVE-2017-6814

In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the wp_playlist_shortcode function in wp-includes/media.php and (2) mishandling of meta information in the renderTracks function in wp-includes/js/mediaelement/wp-playlist.js. En WordPress en versiones anteriores a 4.7.3, hay XSS autenticada a través de Media File Metadata. Esto es demostrado tanto por (1) mal manejo de la playlist shortcode en la función wp_playlist_shortcode en wp-includes/media.php y (2) mal manejo de de meta información en la función renderTracks en wp-includes/js/mediaelement/wp-playlist.js. • http://openwall.com/lists/oss-security/2017/03/06/8 http://www.debian.org/security/2017/dsa-3815 http://www.securityfocus.com/bid/96601 http://www.securitytracker.com/id/1037959 https://codex.wordpress.org/Version_4.7.3 https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7 https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-re • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0

CVE-2017-6815 – WordPress Core < 4.7.3 - Bypass URL Validation

https://notcve.org/view.php?id=CVE-2017-6815

In WordPress before 4.7.3 (wp-includes/pluggable.php), control characters can trick redirect URL validation. En WordPress en versiones anteriores a 4.7.3 (wp-includes/pluggable.php), los caracteres de control pueden trucar la validación de la URL de direccionamiento. • http://www.debian.org/security/2017/dsa-3815 http://www.securityfocus.com/bid/96600 http://www.securitytracker.com/id/1037959 https://codex.wordpress.org/Version_4.7.3 https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8766 • CWE-20: Improper Input Validation •

CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0

CVE-2017-5612 – WordPress Core < 4.7.2 - Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2017-5612

Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt. Vulnerabilidad de XSS en wp-admin/includes/class-wp-posts-list-table.php en la tabla de lista de publicaciones en WordPress en versiones anteriores a 4.7.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un extracto manipulado. • http://www.debian.org/security/2017/dsa-3779 http://www.openwall.com/lists/oss-security/2017/01/28/5 http://www.securityfocus.com/bid/95816 http://www.securitytracker.com/id/1037731 https://codex.wordpress.org/Version_4.7.2 https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849 https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release https://wpvulndb.com/vulnerabilities/8731 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 45%CPEs: 3EXPL: 0

CVE-2017-1001000 – WordPress Core < 4.7.2 - Arbitrary Page Modification

https://notcve.org/view.php?id=CVE-2017-1001000

The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI. La función register_routes en wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php en la API REST en WordPress 4.7.x en versiones anteriores a 4.7.2 no requiere un identificador de número entero, lo que permite a atacantes remotos modificar páginas arbitrarias a través de una solicitud para wp-json/wp/v2/posts seguida por un valor numérico y un valor no numérico, según lo demostrado mediante la URI wp-json/wp/v2/posts/123?id=123helloworld. • http://www.openwall.com/lists/oss-security/2017/02/10/16 http://www.securitytracker.com/id/1037731 https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html https://blogs.akamai.com/2017/02/wordpress-web-api-vulnerability.html https://codex.wordpress.org/Version_4.7.2 https://gist.github.com/leonjza/2244eb15510a0687ed93160c623762ab https://github.com/WordPress/WordPress/commit/e357195ce303017d517aff944644a7a1232926f7 https://make.wordpress.org/core/2017/02/01/disclosure-of • CWE-285: Improper Authorization •

1...20 21 22 23 24