Page 35 of 344 results (0.006 seconds)

CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0

wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack. wp-includes/pluggable.php en WordPress anterior a 3.9.2 no utiliza delimitadores durante la concatenación de los valores de acción y los valores uid en los tokens CSRF, lo que facilita a aqtacantes remotos evadir un mecanismo de protección CSRF a través de un ataque de fuerza bruta. • http://openwall.com/lists/oss-security/2014/08/13/3 http://www.debian.org/security/2014/dsa-3001 https://core.trac.wordpress.org/changeset/29408 https://wordpress.org/news/2014/08/wordpress-3-9-2 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •

CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0

wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack. wp-includes/pluggable.php en WordPress anterior a 3.9.2 rechaza cadenas de caracteres de un sólo uso CSRF inválidos con diferencias de tiempo dependiendo de qué caracteres en la cadena de caracteres de un sólo uso sean incorrectos, lo que facilita a atacantes remotos evadir un mecanismo de protección CSRF a través de un ataque de fuerza bruta. • http://openwall.com/lists/oss-security/2014/08/13/3 http://www.debian.org/security/2014/dsa-3001 https://core.trac.wordpress.org/changeset/29384 https://wordpress.org/news/2014/08/wordpress-3-9-2 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0

Cross-site request forgery (CSRF) vulnerability in wp-login.php in WordPress 3.7.4, 3.8.4, 3.9.2, and 4.0 allows remote attackers to hijack the authentication of arbitrary users for requests that reset passwords. Vulnerabilidad de CSRF en wp-login.php in WordPress 3.7.4, 3.8.4, 3.9.2, y 4.0 permite a atacantes remotos secuestrar la autenticación de usuarios arbitrarios para solicitudes que reconfiguran contraseñas. • http://advisories.mageia.org/MGASA-2014-0493.html http://core.trac.wordpress.org/changeset/30418 http://openwall.com/lists/oss-security/2014/11/25/12 http://www.debian.org/security/2014/dsa-3085 http://www.mandriva.com/security/advisories?name=MDVSA-2014:233 http://www.securitytracker.com/id/1031243 https://wordpress.org/news/2014/11/wordpress-4-0-1 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 7.5EPSS: 7%CPEs: 2EXPL: 0

wp-includes/class-wp-customize-widgets.php in the widget implementation in WordPress 3.9.x before 3.9.2 might allow remote attackers to execute arbitrary code via crafted serialized data. wp-includes/class-wp-customize-widgets.php en la implementación widget en WordPress 3.9.x anterior a 3.9.2 podría permitir a atacantes remotos ejecutar código arbitrario a través de datos serializados manipulados. • http://openwall.com/lists/oss-security/2014/08/13/3 https://core.trac.wordpress.org/changeset/29389 https://wordpress.org/news/2014/08/wordpress-3-9-2 • CWE-502: Deserialization of Untrusted Data •

CVSS: 6.5EPSS: 92%CPEs: 122EXPL: 0

The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265. La libraría Incutio XML-RPC (IXR) , utilizado en WordPress anterior a 3.9.2 y Drupal 6.x anterior a 6.33 y 7.x anterior a 7.31, no limita el número de elementos en un documento XML, lo que permite a atacantes remotos causar una denegación de servicio (consumo de CPU) a través de un documento grande, una vulnerabilidad diferente a CVE-2014-5265. Wordpress XMLRPC parsing is vulnerable to a XML based denial of service. This vulnerability affects Wordpress 3.5 - 3.9.2 (3.8.4 and 3.7.4 are also patched). • http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830 http://cgit.drupalcode.org/drupal/diff/modules/openid/xrds.inc?id=1849830 http://www.debian.org/security/2014/dsa-2999 http://www.debian.org/security/2014/dsa-3001 https://core.trac.wordpress.org/changeset/29404 https://wordpress.org/news/2014/08/wordpress-3-9-2 https://www.drupal.org/SA-CORE-2014-004 http://www.breaksec.com/?p=6362 https://mashable.com/archive/wordpress-xml-blowup-dos • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •