'[oss-security] Re: CVE Request: Wordpress: 4.7.2 security release: unauthorized bypass, SQL injectio'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE Request: Wordpress: 4.7.2 security release: unauthorized bypass, SQL injectio
From:       <cve-assign () mitre ! org>
Date:       2017-01-28 20:47:39
Message-ID: ed10da959b8b4d51bdfc70e3820c6a89 () imshyb01 ! MITRE ! ORG
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
> https://codex.wordpress.org/Version_4.7.2

> [] 1/ The user interface for assigning taxonomy terms in Press This is shown to
> users who do not have permissions to use it. Reported by David Herrera of Alley
> Interactive.
> https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454

Use CVE-2017-5610.


> [] 2/ WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data.
> WordPress core is not directly vulnerable to this issue, but we've added
> hardening to prevent plugins and themes from accidentally causing a
> vulnerability. Reported by Mo Jangda (batmoo).
> https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb

Use CVE-2017-5611.


> [] 3/ A cross-site scripting (XSS) vulnerability was discovered in the posts list
> table. Reported by Ian Dunn of the WordPress Security Team.
> https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849

Use CVE-2017-5612.


- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYjQMaAAoJEHb/MwWLVhi29sYP/jzIGOAGx8INCPLVLnadqphE
VDvhcdL6uWZEy5ykTVydja6UmUqSQ3rJULtE2+R86Nfl5EXpmPSvqTJRxaoWgJSu
w0a+v/ZJMb6WNFx2DlR24EN8fKSWHRYR8eu9pquHJwqTgLHH2YKd4WeXCtGmraAg
FOh4Dxecayh22RR2WrGN2oALW5vFz6CNnc3MhQWAzgEWvqBwm8VMznrT8NlvjLrA
IyxaVbfUcKLw0cWPmHw0b/054wlXCfTLuFKlCp9QEjeF8+B7L5XlhEkEueV8a0Ir
Cg1J+PVbPDpmp686rZWfULyI0WODOOpUIBFnXUOs529knkQxUyKY5ZB6j6a1Kaj6
JbMh10sPSPVnGUAWH5I9fzOzwqkSqtqNGXKOOBTllGIW3WsKARckmex7eqJXydhD
xef8UEFOYxVUbUDAUAUlSVvRXmKh6lFUE7iYG5drxRtOVeNkmdX7F4zOfl3Dkc9H
G3nXPzPRJ1EiAMHzO0wHDrT1Y2tsvVrPGEYoNCgMPMpwIiCx9DUBEjhYqz/IytXd
U23Zd2YRLn4LQ2RNkVlKgLKZj5wP1aHRA+NXow3VYNf9L66w/5zw7ouxg+c8aPEd
G5UqJ3Bl3pUtOP5BsciINs5aXFXdIJvPcny4zg6Ta6/d+Jk/w9q1TX3nQ7xhcfff
d3Jj+zNCED6LUCSRPtde
=dkka
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic