Executive Summary
Informations | |||
---|---|---|---|
Name | MDVSA-2013:189 | First vendor Publication | 2013-07-02 |
Vendor | Mandriva | Last vendor Modification | 2013-07-02 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 6.4 | Attack Range | Network |
Cvss Impact Score | 4.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Updated wordpress package fixes security vulnerabilities: A denial of service flaw was found in the way Wordpress, a blog tool and publishing platform, performed hash computation when checking password for password protected blog posts. A remote attacker could provide a specially- crafted input that, when processed by the password checking mechanism of Wordpress would lead to excessive CPU consumption (CVE-2013-2173). Inadequate SSRF protection for HTTP requests where the user can provide a URL can allow for attacks against the intranet and other sites. This is a continuation of work related to CVE-2013-0235, which was specific to SSRF in pingback requests and was fixed in 3.5.1 (CVE-2013-2199). Inadequate checking of a user's capabilities could allow them to publish posts when their user role should not allow for it; and to assign posts to other authors (CVE-2013-2200). Inadequate escaping allowed an administrator to trigger a cross-site scripting vulnerability through the uploading of media files and plugins (CVE-2013-2201). The processing of an oEmbed response is vulnerable to an XXE (CVE-2013-2202). If the uploads directory is not writable, error message data returned via XHR will include a full path to the directory (CVE-2013-2203). Content Spoofing in the MoxieCode (TinyMCE) MoxiePlayer project (CVE-2013-2204). Cross-domain XSS in SWFUpload (CVE-2013-2205). |
Original Source
Url : http://www.mandriva.com/security/advisories?name=MDVSA-2013:189 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
33 % | CWE-264 | Permissions, Privileges, and Access Controls |
22 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
11 % | CWE-310 | Cryptographic Issues |
11 % | CWE-200 | Information Exposure |
11 % | CWE-20 | Improper Input Validation |
11 % | CWE-16 | Configuration |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:19614 | |||
Oval ID: | oval:org.mitre.oval:def:19614 | ||
Title: | DSA-2718-1 wordpress - several | ||
Description: | Several vulnerabilities were identified in WordPress, a web blogging tool. As the CVEs were allocated from releases announcements and specific fixes are usually not identified, it has been decided to upgrade the wordpress package to the latest upstream version instead of backporting the patches. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2718-1 CVE-2013-2173 CVE-2013-2199 CVE-2013-2200 CVE-2013-2201 CVE-2013-2202 CVE-2013-2203 CVE-2013-2204 CVE-2013-2205 CVE-2013-0235 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | wordpress |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Snort® IPS/IDS
Date | Description |
---|---|
2017-01-04 | WordPress XMLRPC pingback ddos attempt RuleID : 40883 - Revision : 3 - Type : SERVER-WEBAPP |
2014-01-10 | WordPress XMLRPC potential port-scan attempt RuleID : 28849 - Revision : 4 - Type : SERVER-WEBAPP |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-28 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_049332d2f6e111e282f3000c29ee3065.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Fedora host is missing a security update. File : fedora_2013-11590.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Fedora host is missing a security update. File : fedora_2013-11630.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Fedora host is missing a security update. File : fedora_2013-11649.nasl - Type : ACT_GATHER_INFO |
2013-07-03 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2718.nasl - Type : ACT_GATHER_INFO |
2013-07-03 | Name : The remote Mandriva Linux host is missing a security update. File : mandriva_MDVSA-2013-189.nasl - Type : ACT_GATHER_INFO |
2013-06-28 | Name : The remote web server contains a PHP application that is affected by multiple... File : wordpress_3_5_2.nasl - Type : ACT_GATHER_INFO |
2013-02-11 | Name : The remote Fedora host is missing a security update. File : fedora_2013-1692.nasl - Type : ACT_GATHER_INFO |
2013-02-11 | Name : The remote Fedora host is missing a security update. File : fedora_2013-1774.nasl - Type : ACT_GATHER_INFO |
2013-02-04 | Name : The remote web server contains a PHP application that is affected by multiple... File : wordpress_3_5_1.nasl - Type : ACT_GATHER_INFO |
2013-02-04 | Name : The remote web server contains a PHP application that is affected by a server... File : wordpress_xmlrpc_pingback_request_forgery.nasl - Type : ACT_ATTACK |
2013-01-30 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_559e00b76a4d11e2b6b010bf48230856.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:43:52 |
|
2013-07-09 13:22:09 |
|
2013-07-02 17:20:08 |
|