This is a follow up to an earlier post, highlighting an XSS and information
disclosure vulnerability in versions of Untangle 9-11
The previous post is shown in full below this post.
Additional un-patched vectors have been discovered that allow for these issues
to be exploited with increased fe
"We also welcome bug reports for the open source projects WordPress,
BuddyPress, and bbPress."
Oh, I see. I was mistaken.
On Mon, Apr 27, 2015 at 4:51 PM, Ryan Dewhurst
wrote:
> They're registered as part of Automattic -
> https://hackerone.com/automattic
>
> On Mon, Apr 27, 2015 at 10:41 PM, S
They're registered as part of Automattic - https://hackerone.com/automattic
On Mon, Apr 27, 2015 at 10:41 PM, Scott Arciszewski
wrote:
> The author added a note on his page: http://klikki.fi/adv/wordpress2.html
>
> Also, searching HackerOne does not reveal a public WordPress program, only
> WP-A
Am 27.04.2015 um 16:55 schrieb Hanno Böck :
> As there is still no fix from upstream I created a quick'n'dirty fix
> for it:
> https://gist.github.com/hannob/a07f7b7e196c75c4c1a8
> https://files.hboeck.de/wordpress-4.2-emergency-fix-xss.diff
>
Looks like the WP team published an official fix:
ht
The author added a note on his page: http://klikki.fi/adv/wordpress2.html
Also, searching HackerOne does not reveal a public WordPress program, only
WP-API. Does this mean that WordPress was privately participating in
HackerOne for select hackers? If so, revealing that publicly is kind of
rude. :(
On Mon, Apr 27, 2015 at 8:55 AM, Anthony Ferrara
wrote:
> Just for clarification, was the project given a chance to fix this or
> notified in any way prior to public announcement?
>
Apparently WordPress completely ignored all of their notification attempts.
Klikki just added this paragraph to th
Just for clarification, was the project given a chance to fix this or
notified in any way prior to public announcement?
On Sun, Apr 26, 2015 at 4:13 PM, Jouko Pynnonen wrote:
> *Overview*
> Current versions of WordPress are vulnerable to a stored XSS. An
> unauthenticated attacker can inject Java
As there is still no fix from upstream I created a quick'n'dirty fix
for it:
https://gist.github.com/hannob/a07f7b7e196c75c4c1a8
https://files.hboeck.de/wordpress-4.2-emergency-fix-xss.diff
It certainly doesn't comply with any coding style or anything :-) but it
should protect you for now.
--
Ha
1. Advisory Information
Title: InFocus IN3128HD Projector Multiple Vulnerabilities
Advisory ID: CORE-2015-0008
Advisory URL:
http://www.coresecurity.com/advisories/infocus-in3128hd-projector-multiple-vulnerabilities
Date published: 2015-04-27
Date of last update: 2015-04-22
Vendors contacted: InF
