diff options
author | kwm <kwm@FreeBSD.org> | 2015-05-07 17:21:39 +0800 |
---|---|---|
committer | kwm <kwm@FreeBSD.org> | 2015-05-07 17:21:39 +0800 |
commit | bdf5456a0a4d6b5eeb507915f4725182743e8e45 (patch) | |
tree | 3cbcc591a1c91bc85c88f531479bf1ed73be824c | |
parent | 5686e1f50e4101dd63b95547eb93c4fbe5dc3b98 (diff) | |
download | freebsd-ports-gnome-bdf5456a0a4d6b5eeb507915f4725182743e8e45.tar.gz freebsd-ports-gnome-bdf5456a0a4d6b5eeb507915f4725182743e8e45.tar.zst freebsd-ports-gnome-bdf5456a0a4d6b5eeb507915f4725182743e8e45.zip |
Document current and previous wordpress vulnabilities.
-rw-r--r-- | security/vuxml/vuln.xml | 113 |
1 files changed, 113 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 81c9b494671f..16c3e832c155 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -57,6 +57,119 @@ Notes: --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="d86890da-f498-11e4-99aa-bcaec565249c"> + <topic>wordpress -- 2 cross-site scripting vulnerabilities</topic> + <affects> + <package> + <name>wordpress</name> + <range><lt>4.2.2,1</lt></range> + </package> + <package> + <name>de-wordpress</name> + <range><lt>4.2.2</lt></range> + </package> + <package> + <name>ja-wordpress</name> + <range><lt>4.2.2</lt></range> + </package> + <package> + <name>ru-wordpress</name> + <range><lt>4.2.2</lt></range> + </package> + <package> + <name>zh-wordpress-zh_CH</name> + <range><lt>4.2.2</lt></range> + </package> + <package> + <name>zh-wordpress-zh_TW</name> + <range><lt>4.2.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Samuel Sidler reports:</p> + <blockquote cite="https://wordpress.org/news/2015/05/wordpress-4-2-2/"> + <p>The Genericons icon font package, which is used in a number of + popular themes and plugins, contained an HTML file vulnerable to + a cross-site scripting attack. All affected themes and plugins + hosted on WordPress.org (including the Twenty Fifteen default + theme) have been updated today by the WordPress security team + to address this issue by removing this nonessential file. To + help protect other Genericons usage, WordPress 4.2.2 + proactively scans the wp-content directory for this HTML + file and removes it. Reported by Robert Abela of Netsparker.</p> + + <p>WordPress versions 4.2 and earlier are affected by a critical + cross-site scripting vulnerability, which could enable anonymous + users to compromise a site. WordPress 4.2.2 includes a + comprehensive fix for this issue.</p> + + <p>The release also includes hardening for a potential cross-site + scripting vulnerability when using the visual editor. This issue + was reported by Mahadev Subedi.</p> + </blockquote> + </body> + </description> + <references> + <url>https://wordpress.org/news/2015/05/wordpress-4-2-2/</url> + </references> + <dates> + <discovery>2015-05-07</discovery> + <entry>2015-05-07</entry> + </dates> + </vuln> + + <vuln vid="ba4f9b19-ed9d-11e4-9118-bcaec565249c"> + <topic>wordpress -- cross-site scripting vulnerability</topic> + <affects> + <package> + <name>wordpress</name> + <range><lt>4.2.1,1</lt></range> + </package> + <package> + <name>de-wordpress</name> + <range><lt>4.2.1</lt></range> + </package> + <package> + <name>ja-wordpress</name> + <range><lt>4.2.1</lt></range> + </package> + <package> + <name>ru-wordpress</name> + <range><lt>4.2.1</lt></range> + </package> + <package> + <name>zh-wordpress-zh_CH</name> + <range><lt>4.2.1</lt></range> + </package> + <package> + <name>zh-wordpress-zh_TW</name> + <range><lt>4.2.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Gary Pendergast reports:</p> + <blockquote cite="https://wordpress.org/news/2015/04/wordpress-4-2-1/"> + <p>WordPress 4.2.1 is now available. This is a critical security + release for all previous versions and we strongly encourage you + to update your sites immediately.</p> + <p>A few hours ago, the WordPress team was made aware of a + cross-site scripting vulnerability, which could enable commenters + to compromise a site. The vulnerability was discovered by Jouko + Pynnöne.</p> + </blockquote> + </body> + </description> + <references> + <url>https://wordpress.org/news/2015/04/wordpress-4-2-1/</url> + </references> + <dates> + <discovery>2015-04-27</discovery> + <entry>2015-05-07</entry> + </dates> + </vuln> + <vuln vid="64e6006e-f009-11e4-98c6-000c292ee6b8"> <topic>powerdns -- Label decompression bug can cause crashes or CPU spikes</topic> <affects> |