Source: wordpress Version: 5.0.3+dfsg1-1 Severity: important Tags: security upstream
Hi, The following vulnerability was published for wordpress, filling for tracking. This is the left open issue in 5.0.3 from [1]. CVE-2019-8943[0]: | WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An | attacker (who has privileges to crop an image) can write the output | image to an arbitrary directory via a filename containing two image | extensions and ../ sequences, such as a filename ending with the | .jpg?/../../file.jpg substring. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-8943 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8943 [1] https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore

