Professional OVAL Repository
[Eng]
[Rus]
[Sign-In]
OVAL
Search
Categories
RedCheck
About
OVAL Definitions
OVAL Items
FSTEC Data Bank Information Security Threats
NKCKI
EOL (End Of Life)
Linux Security Advisories
Mozilla Foundation Security Advisory
IBM
VMware
Cisco
Check Point Software Technologies
Apache
Solaris
FreeBSD
Development
GitHub Enterprise
Google Chrome Security Advisories
Oracle Security Advisories
Adobe Security Advisories
OpenSSL Security Advisories
Microsoft
CVE
CWE
CPE
Latest Updates
OS ROSA
ALT Linux
Astra Linux SE 1.5
Astra Linux SE 1.6
RED OS
DSA (Debian Security Advisory) Patсh Statistics
DSA (Debian Security Advisory) Patсh Feed
DSA (Debian Security Advisory) Vulnerability Feed
DLA (Debian Security Advisory) Patсh Statistics
DLA (Debian Security Advisory) Patсh Feed
DLA (Debian Security Advisory) Vulnerability Feed
ALT Linux (Security Bulletins) Patсh Statistics
ALT Linux (Security Bulletins) Patсh Feed
ALT Linux (Security Bulletins) Vulnerability Feed
RED OS (Security Bulletins) Patсh Statistics
RED OS (Security Bulletins) Patсh Feed
RED OS (Security Bulletins) Vulnerability Feed
USN (Ubuntu Security Notice) Patсh Statistics
USN (Ubuntu Security Notice) Patсh Feed
USN (Ubuntu Security Notice) Vulnerability Feed
RHSA (RedHat Security Advisory) Patсh Statistics
RHSA (RedHat Security Advisory) Patсh Feed
RHSA (RedHat Security Advisory) Vulnerability Feed
ELSA (Oracle Linux Security Advisory) Patсh Statistics
ELSA (Oracle Linux Security Advisory) Patсh Feed
ELSA (Oracle Linux Security Advisory) Vulnerability Feed
SUSE (SUSE Security Advisories) Patсh Statistics
SUSE (SUSE Security Advisories) Patсh Feed
SUSE (SUSE Security Advisories) Vulnerability Feed
openSUSE (openSUSE Security Advisories) Patсh Statistics
openSUSE (openSUSE Security Advisories) Patсh Feed
openSUSE (openSUSE Security Advisories) Vulnerability Feed
Amazon Linux AMI (Security Bulletins) Patсh Statistics
Amazon Linux AMI (Security Bulletins) Patсh Feed
Amazon Linux AMI (Security Bulletins) Vulnerability Feed
Mageia Linux (Security Bulletins) Patсh Statistics
Mageia Linux (Security Bulletins) Patсh Feed
Mageia Linux (Security Bulletins) Vulnerability Feed
OS ROSA SX COBALT 1.0
OS ROSA DX COBALT 1.0
ROSA 7.3 (Security Advisories) Patсh Statistics
ROSA 7.3 (Security Advisories) Patсh Feed
ROSA 7.3 (Security Advisories) Vulnerability Feed
ALT Linux SPT 6.0
ALT Linux SPT 7.0
ALT 8 SP
ALT 9
RED OS Murom 7.1
RED OS Murom 7.2
IBM DB2
VMware Vulnerabilities Advisory (VMSA)
VMware vCenter Patch Advisories
VMware ESXi Patch Advisories
VMware NSX Patches
VMware NSX Vulnerabilities
VMware Photon OS 1.0 Patches
VMware Photon OS 1.0 Vulnerabilities
VMware Photon OS 2.0 Patches
VMware Photon OS 2.0 Vulnerabilities
Cisco ASA
Cisco IOS/NX-OS Advisory
Cisco NX-OS Vulnerabilities
Check Point Gaia
Apache Tomcat Advisories
Apache Tomcat Server
Apache HTTP Server
Python
Node.js
RubyGems
Qt
Microsoft Security Bulletin
Microsoft Knowledge Base Article
Microsoft SharePoint
Microsoft SharePoint Foundation 2013
Microsoft SharePoint Server 2013
Microsoft SharePoint Server 2016
About OVALdb
User manual
Pricing
Contact us
OVAL Definitions
>
OVAL Definition Details
Id
oval:com.altx-soft.nix:def:885
[Rus]
Version
3
Class
patch
ALTXid
35280
Language
English
Severity
NotAvailable
Title
DSA-2470-1 wordpress - several
Description
Several vulnerabilities were identified in WordPress, a web blogging tool. As the CVEs were allocated from releases announcements and specific fixes are usually not identified, it has been decided to upgrade the wordpress package to the latest upstream version instead of backporting the patches.
Family
unix
Platform
Debian GNU/kFreeBSD 6.0
Debian GNU/Linux 6.0
Product
wordpress
Reference
VENDOR: DSA-2470-1
VENDOR: DSA-2470-1
Id:
DSA-2470-1
Reference:
http://www.debian.org/security/dsa-2470-1
CVE: CVE-2011-3122
CVE: CVE-2011-3122
Id:
CVE-2011-3122
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3122
Comment
: Unspecified vulnerability in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Media security."
CVSSv2 Score:
10
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
COMPLETE
Integrity impact:
COMPLETE
Availability impact:
COMPLETE
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
http://wordpress.org/news/2011/05/wordpress-3-1-3/ (CONFIRM)
47995 (BID)
DSA-2470 (DEBIAN)
49138 (SECUNIA)
wordpress-media-unspecified(69175) (XF)
CVE: CVE-2011-3125
CVE: CVE-2011-3125
Id:
CVE-2011-3125
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3125
Comment
: Unspecified vulnerability in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Various security hardening."
CVSSv2 Score:
10
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
COMPLETE
Integrity impact:
COMPLETE
Availability impact:
COMPLETE
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
http://wordpress.org/news/2011/05/wordpress-3-1-3/ (CONFIRM)
DSA-2470 (DEBIAN)
49138 (SECUNIA)
wordpress-hardening-unspecified(69174) (XF)
CVE: CVE-2011-3126
CVE: CVE-2011-3126
Id:
CVE-2011-3126
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3126
Comment
: WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 allows remote attackers to determine usernames of non-authors via canonical redirects.
CVSSv2 Score:
5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
NONE
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N
CWE:
200 (Information Exposure)
References:
http://wordpress.org/news/2011/05/wordpress-3-1-3/ (CONFIRM)
47995 (BID)
DSA-2470 (DEBIAN)
49138 (SECUNIA)
wordpress-nonauthos-info-disclosure(69173) (XF)
CVE: CVE-2011-3127
CVE: CVE-2011-3127
Id:
CVE-2011-3127
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3127
Comment
: WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 does not prevent rendering for (1) admin or (2) login pages inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site.
CVSSv2 Score:
5.8
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:N
CWE:
20 (Improper Input Validation)
References:
http://wordpress.org/news/2011/05/wordpress-3-1-3/ (CONFIRM)
47995 (BID)
DSA-2470 (DEBIAN)
49138 (SECUNIA)
wordpress-admin-clickjacking(69172) (XF)
CVE: CVE-2011-3128
CVE: CVE-2011-3128
Id:
CVE-2011-3128
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3128
Comment
: WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 treats unattached attachments as published, which might allow remote attackers to obtain sensitive data via vectors related to wp-includes/post.php.
CVSSv2 Score:
5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
NONE
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N
CWE:
200 (Information Exposure)
References:
http://core.trac.wordpress.org/changeset/18023/branches/3.1 (CONFIRM)
http://wordpress.org/news/2011/05/wordpress-3-1-3/ (CONFIRM)
47995 (BID)
DSA-2470 (DEBIAN)
49138 (SECUNIA)
wordpress-attachments-info-disc(69171) (XF)
CVE: CVE-2011-3129
CVE: CVE-2011-3129
Id:
CVE-2011-3129
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3129
Comment
: The file upload functionality in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2, when running "on hosts with dangerous security settings," has unknown impact and attack vectors, possibly related to dangerous filenames.
CVSSv2 Score:
9.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
COMPLETE
Integrity impact:
COMPLETE
Availability impact:
COMPLETE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:C/I:C/A:C
CWE:
264 (Permissions, Privileges, and Access Controls)
References:
http://wordpress.org/news/2011/05/wordpress-3-1-3/ (CONFIRM)
47995 (BID)
DSA-2470 (DEBIAN)
49138 (SECUNIA)
CVE: CVE-2011-3130
CVE: CVE-2011-3130
Id:
CVE-2011-3130
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3130
Comment
: wp-includes/taxonomy.php in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Taxonomy query hardening," possibly involving SQL injection.
CVSSv2 Score:
7.5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE:
89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))
References:
http://wordpress.org/news/2011/05/wordpress-3-1-3/ (CONFIRM)
47995 (BID)
DSA-2470 (DEBIAN)
49138 (SECUNIA)
wordpress-taxonomy-unspecified(69169) (XF)
CVE: CVE-2011-4956
CVE: CVE-2011-4956
Id:
CVE-2011-4956
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4956
Comment
: Cross-site scripting (XSS) vulnerability in WordPress before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE:
79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
References:
72141 (OSVDB)
DSA-2470 (DEBIAN)
http://wordpress.org/news/2011/04/wordpress-3-1-1/ (CONFIRM)
[oss-security] 20120419 Re: CVE-request: WordPress 3.1.1 (MLIST)
49138 (SECUNIA)
44038 (SECUNIA)
[oss-security] 20120419 Re: CVE-request: WordPress 3.1.1 (MLIST)
CVE: CVE-2011-4957
CVE: CVE-2011-4957
Id:
CVE-2011-4957
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4957
Comment
: The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the PCRE library, which allows remote attackers to cause a denial of service (crash) via a comment with a crafted URL that triggers many recursive calls.
CVSSv2 Score:
5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P
CWE:
20 (Improper Input Validation)
References:
44038 (SECUNIA)
http://wordpress.org/news/2011/04/wordpress-3-1-1/ (CONFIRM)
49138 (SECUNIA)
http://core.trac.wordpress.org/ticket/16892 (CONFIRM)
DSA-2470 (DEBIAN)
[oss-security] 20120419 Re: CVE-request: WordPress 3.1.1 (MLIST)
[oss-security] 20120419 Re: CVE-request: WordPress 3.1.1 (MLIST)
CVE: CVE-2012-2399
CVE: CVE-2012-2399
Id:
CVE-2012-2399
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2399
Comment
: Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 and earlier, as used in WordPress before 3.5.2, TinyMCE Image Manager 1.1 and earlier, and other products allows remote attackers to inject arbitrary web script or HTML via the buttonText parameter, a different vulnerability than CVE-2012-3414.
CVSSv2 Score:
10
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
COMPLETE
Integrity impact:
COMPLETE
Availability impact:
COMPLETE
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
http://wordpress.org/news/2012/04/wordpress-3-3-2/ (CONFIRM)
http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/swfupload/swfupload.swf?rev=20503 (CONFIRM)
DSA-2470 (DEBIAN)
49138 (SECUNIA)
20130310 CS and XSS vulnerabilities in SWFUpload (FULLDISC)
http://packetstormsecurity.com/files/120746/SWFUpload-Content-Spoofing-Cross-Site-Scripting.html (MISC)
http://make.wordpress.org/core/2013/06/21/secure-swfupload/ (CONFIRM)
[oss-security] 20130718 Re: Re: SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws (MLIST)
http://packetstormsecurity.com/files/122399/tinymce11-xss.txt (MISC)
91134 (OSVDB)
JVNDB-2012-002110 (JVNDB)
JVN#25280162 (JVN)
53192 (BID)
wordpress-swfupload-unspecified(75210) (XF)
81459 (OSVDB)
CVE: CVE-2012-2400
CVE: CVE-2012-2400
Id:
CVE-2012-2400
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2400
Comment
: Unspecified vulnerability in wp-includes/js/swfobject.js in WordPress before 3.3.2 has unknown impact and attack vectors.
CVSSv2 Score:
10
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
COMPLETE
Integrity impact:
COMPLETE
Availability impact:
COMPLETE
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
http://wordpress.org/news/2012/04/wordpress-3-3-2/ (CONFIRM)
http://core.trac.wordpress.org/changeset/20499/branches/3.3/wp-includes/js/swfobject.js (CONFIRM)
DSA-2470 (DEBIAN)
49138 (SECUNIA)
53192 (BID)
wordpress-swfobject-unspecified(75209) (XF)
81460 (OSVDB)
CVE: CVE-2012-2401
CVE: CVE-2012-2401
Id:
CVE-2012-2401
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2401
Comment
: Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content.
CVSSv2 Score:
5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N
CWE:
264 (Permissions, Privileges, and Access Controls)
References:
http://wordpress.org/news/2012/04/wordpress-3-3-2/ (CONFIRM)
http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/plupload/changelog.txt?rev=20487 (CONFIRM)
http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/plupload?rev=20487 (CONFIRM)
DSA-2470 (DEBIAN)
49138 (SECUNIA)
https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/ (MISC)
http://www.plupload.com/punbb/viewtopic.php?id=1685 (CONFIRM)
53192 (BID)
wordpress-plupload-sec-bypass(75208) (XF)
81461 (OSVDB)
CVE: CVE-2012-2402
CVE: CVE-2012-2402
Id:
CVE-2012-2402
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2402
Comment
: wp-admin/plugins.php in WordPress before 3.3.2 allows remote authenticated site administrators to bypass intended access restrictions and deactivate network-wide plugins via unspecified vectors.
CVSSv2 Score:
5.5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
SINGLE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:S/C:N/I:P/A:P
CWE:
264 (Permissions, Privileges, and Access Controls)
References:
http://wordpress.org/news/2012/04/wordpress-3-3-2/ (CONFIRM)
http://core.trac.wordpress.org/changeset/20526/branches/3.3/wp-admin/plugins.php (CONFIRM)
DSA-2470 (DEBIAN)
49138 (SECUNIA)
wordpress-plugins-security-bypass(75090) (XF)
53192 (BID)
48957 (SECUNIA)
wordpress-plugins-sec-bypass(75207) (XF)
81462 (OSVDB)
CVE: CVE-2012-2403
CVE: CVE-2012-2403
Id:
CVE-2012-2403
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2403
Comment
: wp-includes/formatting.php in WordPress before 3.3.2 attempts to enable clickable links inside attributes, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE:
79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
References:
http://core.trac.wordpress.org/changeset/20493/branches/3.3/wp-includes/capabilities.php (CONFIRM)
http://wordpress.org/news/2012/04/wordpress-3-3-2/ (CONFIRM)
http://core.trac.wordpress.org/changeset/20493/branches/3.3/wp-includes/formatting.php (CONFIRM)
DSA-2470 (DEBIAN)
49138 (SECUNIA)
wordpress-url-xss(75093) (XF)
53192 (BID)
48957 (SECUNIA)
wordpress-formatting-xss(75206) (XF)
81463 (OSVDB)
CVE: CVE-2012-2404
CVE: CVE-2012-2404
Id:
CVE-2012-2404
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2404
Comment
: wp-comments-post.php in WordPress before 3.3.2 supports offsite redirects, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE:
79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
References:
http://wordpress.org/news/2012/04/wordpress-3-3-2/ (CONFIRM)
http://core.trac.wordpress.org/changeset/20486/branches/3.3/wp-comments-post.php (CONFIRM)
DSA-2470 (DEBIAN)
49138 (SECUNIA)
wordpress-wpredirect-xss(75092) (XF)
53192 (BID)
48957 (SECUNIA)
wordpress-wpcommentspostphp-xss(75202) (XF)
81464 (OSVDB)
Content available only for registered users!
ovaldb@altx-soft.com