Source: wordpress Version: 4.1+dfsg-1 X-Debbugs-CC: t...@security.debian.org secure-testing-t...@lists.alioth.debian.org Severity: grave Tags: security upstream fixed-upstream
Hi, the following vulnerabilities were published for wordpress. CVE-2017-17091[0]: | wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser | key to a string that can be directly derived from the user ID, which | allows remote attackers to bypass intended access restrictions by | entering this string. CVE-2017-17092[1]: | wp-includes/functions.php in WordPress before 4.9.1 does not require | the unfiltered_html capability for upload of .js files, which might | allow remote attackers to conduct XSS attacks via a crafted file. CVE-2017-17093[2]: | wp-includes/general-template.php in WordPress before 4.9.1 does not | properly restrict the lang attribute of an HTML element, which might | allow attackers to conduct XSS attacks via the language setting of a | site. CVE-2017-17094[3]: | wp-includes/feed.php in WordPress before 4.9.1 does not properly | restrict enclosures in RSS and Atom fields, which might allow attackers | to conduct XSS attacks via a crafted URL. Published at [4]. The respective commits are all referenced in the corresponding CVE page on the security-tracker and were used for the CVE request. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-17091 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091 [1] https://security-tracker.debian.org/tracker/CVE-2017-17092 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092 [2] https://security-tracker.debian.org/tracker/CVE-2017-17093 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093 [3] https://security-tracker.debian.org/tracker/CVE-2017-17094 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094 [4] https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ Regards, Salvatore
