[Secure-testing-team] Bug#877629: wordpress: CVE-2017-14990
Salvatore Bonaccorso
carnil at debian.org
Tue Oct 3 15:17:08 UTC 2017
Source: wordpress
Version: 4.8.2+dfsg-1
Severity: important
Tags: upstream security
Forwarded: https://core.trac.wordpress.org/ticket/38474
Hi,
the following vulnerability was published for wordpress.
CVE-2017-14990[0]:
| WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but
| stores the analogous wp_users.user_activation_key values as hashes),
| which might make it easier for remote attackers to hijack unactivated
| user accounts by leveraging database read access (such as access gained
| through an unspecified SQL injection vulnerability).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14990
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14990
[1] https://core.trac.wordpress.org/ticket/38474
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list