[Secure-testing-team] Bug#823649: libjs-mediaelement: Reflected XSS vulnerability
Craig Small
csmall at debian.org
Sat May 7 01:58:22 UTC 2016
Package: libjs-mediaelement
Version: 2.15.1+dfsg-1
Severity: important
Tags: security upstream
I saw this regarding the wordpress 4.5.2 release[1]. MediaElement.js is
vulnerable to a reflected XSS attack. The wordpress patch is at [2]
but I cannot exactly find what has changed but I think it is the
url has the time added to randomize it more. [3]
1: https://wordpress.org/news/2016/05/wordpress-4-5-2/
2: https://core.trac.wordpress.org/changeset/37370
3: https://github.com/johndyer/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.4.0-1-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
libjs-mediaelement depends on no packages.
Versions of packages libjs-mediaelement recommends:
ii libjs-jquery 1.11.3+dfsg-4
libjs-mediaelement suggests no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list