[Secure-testing-team] Bug#883314: wordpress: CVE-2017-17091 CVE-2017-17092 CVE-2017-17093 CVE-2017-17094

Salvatore Bonaccorso carnil at debian.org
Sat Dec 2 09:11:24 UTC 2017 

Source: wordpress
Version: 4.1+dfsg-1
X-Debbugs-CC: team at security.debian.org secure-testing-team at lists.alioth.debian.org
Severity: grave
Tags: security upstream fixed-upstream

Hi,

the following vulnerabilities were published for wordpress.

CVE-2017-17091[0]:
| wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser
| key to a string that can be directly derived from the user ID, which
| allows remote attackers to bypass intended access restrictions by
| entering this string.

CVE-2017-17092[1]:
| wp-includes/functions.php in WordPress before 4.9.1 does not require
| the unfiltered_html capability for upload of .js files, which might
| allow remote attackers to conduct XSS attacks via a crafted file.

CVE-2017-17093[2]:
| wp-includes/general-template.php in WordPress before 4.9.1 does not
| properly restrict the lang attribute of an HTML element, which might
| allow attackers to conduct XSS attacks via the language setting of a
| site.

CVE-2017-17094[3]:
| wp-includes/feed.php in WordPress before 4.9.1 does not properly
| restrict enclosures in RSS and Atom fields, which might allow attackers
| to conduct XSS attacks via a crafted URL.

Published at [4]. The respective commits are all referenced in the
corresponding CVE page on the security-tracker and were used for the
CVE request.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-17091
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
[1] https://security-tracker.debian.org/tracker/CVE-2017-17092
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
[2] https://security-tracker.debian.org/tracker/CVE-2017-17093
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093
[3] https://security-tracker.debian.org/tracker/CVE-2017-17094
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
[4] https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/

Regards,
Salvatore

More information about the Secure-testing-team mailing list