[Secure-testing-team] Bug#887596: wordpress: XSS vulnerability in MediaElement
Craig Small
csmall at debian.org
Thu Jan 18 10:43:35 UTC 2018
Source: wordpress
Version: 4.9.1+dfsg-1
Severity: grave
Tags: security
Justification: user security hole
An XSS vulnerability was discovered in the Flash fallback files in MediaElement, a library that is included with WordPress. Because the Flash files are no longer needed for most use cases, they have been removed from WordPress.
I'm not 100% sure of how bad this is for Debian packages as a lot of
flash items are removed, but it could be still possibly triggered by
the JavaScript around it (this is where the patches seem to be).
This impacts all versions back to 3.7
References:
https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
https://wpvulndb.com/vulnerabilities/9006
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.14.0-3-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
More information about the Secure-testing-team
mailing list