| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Apr 2015 09:48:09 +0200 From: C0r3dump3d <coredump@...istici.org> To: fulldisclosure@...lists.org Subject: Re: [FD] WordPress 4.2 stored XSS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Curiously we had the same problem when we tried to communicate to Wordpress the vulnerability CVE-2014-9034 (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9034). We tried, repeatedly, to contact WP through HackerOne and email, but did not respond. Only through the intervention of the CERT/CC, and last about six months they showed the necessary interest. Andres. El 27/04/15 a las 23:33, Winni Neessen escribió: > Am 27.04.2015 um 16:55 schrieb Hanno Böck <hanno@...eck.de>: > >> As there is still no fix from upstream I created a quick'n'dirty >> fix for it: https://gist.github.com/hannob/a07f7b7e196c75c4c1a8 >> https://files.hboeck.de/wordpress-4.2-emergency-fix-xss.diff >> > > Looks like the WP team published an official fix: > https://wordpress.org/news/2015/04/wordpress-4-2-1/ > <https://wordpress.org/news/2015/04/wordpress-4-2-1/> > > "A few hours ago, the WordPress team was made aware of a > cross-site scripting vulnerability, which could enable commenters > to compromise a site. The vulnerability was discovered by Jouko > Pynnönen.“ > > > Winni > > > > > _______________________________________________ Sent through the > Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & > RSS: http://seclists.org/fulldisclosure/ > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVPzs5AAoJEB3Mh7ZpWLvITBsQAIVjSQ5Yf2EnbkGMql8uL2h2 AzafSd1LSwaw4RuhGLd7VZ6OXVWtvHqxkJkm2cXc6X02HKBRcsMY3MsU3cQyVOzV tE8vTxI0tOGtcwSi77OdDmT1KDJ4Xiw+G6PFiFjP+iOHnhIfUJzOWfuF9MwxNM7I IXGv66XROXzkdyLvVsjsK5CZzO3Robjp4YOgfIXRwPYbr7N+TNbqDEO8427goA5o 63P0nAtnbD9pp/bQ6vewSiad/GBpQlMsOZAFcaC9O0RkzerZIwG2FGh+1scVTKzS SSE0J13kq9KXkG1R9v4j4vNba78NXlaew58jd86GN7Ml0WPuVbfI9DiXYc8n6Lfx 4qYUw3XXbRqoZ5lhFupKNzLNrvmP0QIHPnF8OnORS51RVWPEsj3IEKyQDV5yqx77 FE79/zwCvQNnv68SrOmpyIUjfh5Daglbiel/jCj+s1EoxwXSozHz4Qk+zrASXkRv n6UCX48//O3MLJ9nbhOU66oDDv5quxa2S8axbk+oBUt43sLV0xDleEHqJK/mTUXR hZbk5suRKH4P9XGPYBU077h3rSU6/c+j7xt9UflGt84Mhw4cPu1CsYFksmlXwiTh mqSLBNNmj8MIJ7PD8fuprcYs5TIEVflRhcbyejfFky5gM1HO+q5gkumK2NtKj7M6 mQSvSnW9CIWXyBfDAXGL =poHS -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists