Executive Summary
| Summary | |
|---|---|
| Title | wordpress security update |
| Informations | |||
|---|---|---|---|
| Name | DSA-2757 | First vendor Publication | 2013-09-14 |
| Vendor | Debian | Last vendor Modification | 2013-09-14 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 7.5 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Several vulnerabilities were identified in Wordpress, a web blogging tool. As the CVEs were allocated from releases announcements and specific fixes are usually not identified, it has been decided to upgrade the Wordpress package to the latest upstream version instead of backporting the patches. This means extra care should be taken when upgrading, especially when using third-party plugins or themes, since compatibility may have been impacted along the way. We recommend that users check their install before doing the upgrade. CVE-2013-4338 Unsafe PHP unserialization in wp-includes/functions.php could cause arbitrary code execution. CVE-2013-4339 Insufficient input validation could result in redirecting or leading a user to another website. CVE-2013-4340 Privilege escalation allowing an user with an author role to create an entry appearing as written by another user. CVE-2013-5738 Insufficient capabilities were required for uploading .html/.html files, making it easier for authenticated users to conduct cross-site scripting attacks (XSS) using crafted html file uploads. CVE-2013-5739 Default Wordpress configuration allowed file upload for .swf/.exe files, making it easier for authenticated users to conduct cross-site scripting attacks (XSS). For the oldstable distribution (squeeze), these problems have been fixed in version 3.6.1+dfsg-1~deb6u1. For the stable distribution (wheezy), these problems have been fixed in version 3.6.1+dfsg-1~deb7u1. For the testing distribution (jessie), these problems have been fixed in version 3.6.1+dfsg-1. For the unstable distribution (sid), these problems have been fixed in version 3.6.1+dfsg-1. We recommend that you upgrade your wordpress packages. |
Original Source
| Url : http://www.debian.org/security/2013/dsa-2757 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 40 % | CWE-20 | Improper Input Validation |
| 20 % | CWE-264 | Permissions, Privileges, and Access Controls |
| 20 % | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
| 20 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:19772 | |||
| Oval ID: | oval:org.mitre.oval:def:19772 | ||
| Title: | DSA-2757-1 wordpress - several | ||
| Description: | Several vulnerabilities were identified in Wordpress, a web blogging tool. As the CVEs were allocated from releases announcements and specific fixes are usually not identified, it has been decided to upgrade the Wordpress package to the latest upstream version instead of backporting the patches. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-2757-1 CVE-2013-4338 CVE-2013-4339 CVE-2013-4340 CVE-2013-5738 CVE-2013-5739 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | wordpress |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
Information Assurance Vulnerability Management (IAVM)
| Date | Description |
|---|---|
| 2013-09-19 | IAVM : 2013-B-0106 - Multiple Vulnerabilities in WordPress Severity : Category I - VMSKEY : V0040374 |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2013-10-20 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_043d3a78f24549389bc73d0d35dd94bf.nasl - Type : ACT_GATHER_INFO |
| 2013-09-27 | Name : The remote Fedora host is missing a security update. File : fedora_2013-16855.nasl - Type : ACT_GATHER_INFO |
| 2013-09-27 | Name : The remote Fedora host is missing a security update. File : fedora_2013-16895.nasl - Type : ACT_GATHER_INFO |
| 2013-09-27 | Name : The remote Fedora host is missing a security update. File : fedora_2013-16925.nasl - Type : ACT_GATHER_INFO |
| 2013-09-20 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-239.nasl - Type : ACT_GATHER_INFO |
| 2013-09-19 | Name : The remote web server contains a PHP application that is affected by multiple... File : wordpress_3_6_1.nasl - Type : ACT_GATHER_INFO |
| 2013-09-15 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2757.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:32:10 |
|
| 2013-09-14 13:19:58 |
|
