Adsons

    Debian LTS: DLA-1673-1: wordpress security update

    Date11 Feb 2019
    CategoryDebian LTS
    56
    Posted ByLinuxSecurity Advisories
    CVE-2018-20147 Authors could modify metadata to bypass intended restrictions on
    
    Package        : wordpress
    Version        : 4.1.25+dfsg-1+deb8u1
    CVE ID         : CVE-2018-20147 CVE-2018-20148 CVE-2018-20149
                     CVE-2018-20150 CVE-2018-20151 CVE-2018-20152
                     CVE-2018-20153
    Debian Bug     : 916403
    
    
    CVE-2018-20147
    
        Authors could modify metadata to bypass intended restrictions on
        deleting files.
    
    CVE-2018-20148
        Contributors could conduct PHP object injection attacks via crafted
        metadata in a wp.getMediaItem XMLRPC call. This is caused by
        mishandling of serialized data at phar:// URLs in the
        wp_get_attachment_thumb_file function in wp-includes/post.php.
    
    CVE-2018-20149
    
        When the Apache HTTP Server is used, authors could upload crafted
        files that bypass intended MIME type restrictions, leading to XSS,
        as demonstrated by a .jpg file without JPEG data.
    
    CVE-2018-20150
    
        Crafted URLs could trigger XSS for certain use cases involving
        plugins.
    
    CVE-2018-20151
    
        The user-activation page could be read by a search engine's web
        crawler if an unusual configuration were chosen. The search engine
        could then index and display a user's e-mail address and (rarely)
        the password that was generated by default.
    
    CVE-2018-20152
    
        Authors could bypass intended restrictions on post types via crafted
        input.
    
    CVE-2018-20153
    
        Contributors could modify new comments made by users with greater
        privileges, possibly causing XSS.
    
    
    For Debian 8 "Jessie", these problems have been fixed in version
    4.1.25+dfsg-1+deb8u1.
    
    We recommend that you upgrade your wordpress packages.
    
    Further information about Debian LTS security advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://wiki.debian.org/LTS
    

    Comments powered by CComment

    Sidebar Ad

    LinuxSecurity Poll

    Does your company/organization utilize open-source software?

    Message!

    Poll results are hidden from public viewing.

    You are not authorized to vote on this poll.

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    5
    radio
    bottom200