Page 39 of 193 results (0.005 seconds)

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

CVE-2011-0701 – WordPress Core < 3.0.5 - Improper Authorization to Information Disclosure

https://notcve.org/view.php?id=CVE-2011-0701

wp-admin/async-upload.php in the media uploader in WordPress before 3.0.5 allows remote authenticated users to read (1) draft posts or (2) private posts via a modified attachment_id parameter. wp-admin/async-upload.php en media uploader en WordPress anterior a v3.0.5 permite a usuarios remotos autenticados leer (1) posts borradores o (2) posts privados a través del parámetro modificado attachment_id. • http://codex.wordpress.org/Version_3.0.5 http://core.trac.wordpress.org/changeset/17393 http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056412.html http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056998.html http://lists.fedoraproject.org/pipermail/package-announce/2011-March/057003.html http://openwall.com/lists/oss-security/2011/02/08/7 http://openwall.com/lists/oss-security/2011/02/09/13 http://secunia.com/advisories/43729 http://www • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-285: Improper Authorization •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

CVE-2011-3818 – WordPress Core 2.9.2 and 3.0.4 - Sensitive Information Disclosure

https://notcve.org/view.php?id=CVE-2011-3818

WordPress 2.9.2 and 3.0.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by wp-admin/includes/user.php and certain other files. WordPress v2.9.2 y v3.0.4 permiten a atacantes remotos obtener información sensible a través de una petición directa a un archivo .php, lo que revela la ruta de instalación en un mensaje de error, como se demostró con wp-admin/includes/user.php y algunos otros archivos. • http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/wordpress_2.9.2 http://www.openwall.com/lists/oss-security/2011/06/27/6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0

CVE-2011-0700 – WordPress Core <= 3.0.4 - Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2011-0700

Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.0.5 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to (1) the Quick/Bulk Edit title (aka post title or post_title), (2) post_status, (3) comment_status, (4) ping_status, and (5) escaping of tags within the tags meta box. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en Wordpress en versiones anteriores a v3.0.5, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro (1) Quick/Bulk Edit title (también conocido como post title or post_title), (2) post_status, (3) comment_status, (4) ping_status, y (5)saliendo de tags sin usar tags meta box . • http://codex.wordpress.org/Version_3.0.5 http://core.trac.wordpress.org/changeset/17397 http://core.trac.wordpress.org/changeset/17401 http://core.trac.wordpress.org/changeset/17406 http://core.trac.wordpress.org/changeset/17412 http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056412.html http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056998.html http://lists.fedoraproject.org/pipermail/package-announce/2011-March/057003.html http://openwall.com/lists&#x • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •