[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <553F3B39.8080800@autistici.org>
Date: Tue, 28 Apr 2015 09:48:09 +0200
From: C0r3dump3d <coredump@...istici.org>
To: fulldisclosure@...lists.org
Subject: Re: [FD] WordPress 4.2 stored XSS
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Curiously we had the same problem when we tried to communicate to
Wordpress the vulnerability CVE-2014-9034
(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9034). We
tried, repeatedly, to contact WP through HackerOne and email, but did
not respond. Only through the intervention of the CERT/CC, and last
about six months they showed the necessary interest.
Andres.
El 27/04/15 a las 23:33, Winni Neessen escribió:
> Am 27.04.2015 um 16:55 schrieb Hanno Böck <hanno@...eck.de>:
>
>> As there is still no fix from upstream I created a quick'n'dirty
>> fix for it: https://gist.github.com/hannob/a07f7b7e196c75c4c1a8
>> https://files.hboeck.de/wordpress-4.2-emergency-fix-xss.diff
>>
>
> Looks like the WP team published an official fix:
> https://wordpress.org/news/2015/04/wordpress-4-2-1/
> <https://wordpress.org/news/2015/04/wordpress-4-2-1/>
>
> "A few hours ago, the WordPress team was made aware of a
> cross-site scripting vulnerability, which could enable commenters
> to compromise a site. The vulnerability was discovered by Jouko
> Pynnönen.“
>
>
> Winni
>
>
>
>
> _______________________________________________ Sent through the
> Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure Web Archives &
> RSS: http://seclists.org/fulldisclosure/
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJVPzs5AAoJEB3Mh7ZpWLvITBsQAIVjSQ5Yf2EnbkGMql8uL2h2
AzafSd1LSwaw4RuhGLd7VZ6OXVWtvHqxkJkm2cXc6X02HKBRcsMY3MsU3cQyVOzV
tE8vTxI0tOGtcwSi77OdDmT1KDJ4Xiw+G6PFiFjP+iOHnhIfUJzOWfuF9MwxNM7I
IXGv66XROXzkdyLvVsjsK5CZzO3Robjp4YOgfIXRwPYbr7N+TNbqDEO8427goA5o
63P0nAtnbD9pp/bQ6vewSiad/GBpQlMsOZAFcaC9O0RkzerZIwG2FGh+1scVTKzS
SSE0J13kq9KXkG1R9v4j4vNba78NXlaew58jd86GN7Ml0WPuVbfI9DiXYc8n6Lfx
4qYUw3XXbRqoZ5lhFupKNzLNrvmP0QIHPnF8OnORS51RVWPEsj3IEKyQDV5yqx77
FE79/zwCvQNnv68SrOmpyIUjfh5Daglbiel/jCj+s1EoxwXSozHz4Qk+zrASXkRv
n6UCX48//O3MLJ9nbhOU66oDDv5quxa2S8axbk+oBUt43sLV0xDleEHqJK/mTUXR
hZbk5suRKH4P9XGPYBU077h3rSU6/c+j7xt9UflGt84Mhw4cPu1CsYFksmlXwiTh
mqSLBNNmj8MIJ7PD8fuprcYs5TIEVflRhcbyejfFky5gM1HO+q5gkumK2NtKj7M6
mQSvSnW9CIWXyBfDAXGL
=poHS
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists