Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
debianDebianDEBIAN:DLA-2429-1:2CED7
HistoryNov 03, 2020 - 7:19 a.m.

[SECURITY] [DLA 2429-1] wordpress security update

2020-11-0307:19:50
lists.debian.org
28

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.026 Low

EPSS

Percentile

90.1%

JSON

Debian LTS Advisory DLA-2429-1 [email protected]
https://www.debian.org/lts/security/ Utkarsh Gupta
November 03, 2020 https://wiki.debian.org/LTS

Package : wordpress
Version : 4.7.19+dfsg-1+deb9u1
CVE ID : CVE-2020-28032 CVE-2020-28033 CVE-2020-28034
CVE-2020-28035 CVE-2020-28036 CVE-2020-28037
CVE-2020-28038 CVE-2020-28039 CVE-2020-28040
Debian Bug : 973562

There were several vulnerabilites reported against wordpress,
as follows:

CVE-2020-28032

WordPress before 4.7.19 mishandles deserialization requests in
wp-includes/Requests/Utility/FilteredIterator.php.

CVE-2020-28033

WordPress before 4.7.19 mishandles embeds from disabled sites
on a multisite network, as demonstrated by allowing a spam
embed.

CVE-2020-28034

WordPress before 4.7.19 allows XSS associated with global
variables.

CVE-2020-28035

WordPress before 4.7.19 allows attackers to gain privileges via
XML-RPC.

CVE-2020-28036

wp-includes/class-wp-xmlrpc-server.php in WordPress before
4.7.19 allows attackers to gain privileges by using XML-RPC to
comment on a post.

CVE-2020-28037

is_blog_installed in wp-includes/functions.php in WordPress
before 4.7.19 improperly determines whether WordPress is
already installed, which might allow an attacker to perform
a new installation, leading to remote code execution (as well
as a denial of service for the old installation).

CVE-2020-28038

WordPress before 4.7.19 allows stored XSS via post slugs.

CVE-2020-28039

is_protected_meta in wp-includes/meta.php in WordPress before
4.7.19 allows arbitrary file deletion because it does not
properly determine whether a meta key is considered protected.

CVE-2020-28040

WordPress before 4.7.19 allows CSRF attacks that change a
theme's background image.

For Debian 9 stretch, these problems have been fixed in version
4.7.19+dfsg-1+deb9u1.

We recommend that you upgrade your wordpress packages.

For the detailed security status of wordpress please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wordpress

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian9allwordpress-l10n< 4.7.19+dfsg-1+deb9u1wordpress-l10n_4.7.19+dfsg-1+deb9u1_all.deb
Debian10allwordpress-theme-twentyseventeen< 5.0.11+dfsg1-0+deb10u1wordpress-theme-twentyseventeen_5.0.11+dfsg1-0+deb10u1_all.deb
Debian9allwordpress-theme-twentysixteen< 4.7.19+dfsg-1+deb9u1wordpress-theme-twentysixteen_4.7.19+dfsg-1+deb9u1_all.deb
Debian9allwordpress-theme-twentyseventeen< 4.7.19+dfsg-1+deb9u1wordpress-theme-twentyseventeen_4.7.19+dfsg-1+deb9u1_all.deb
Debian9allwordpress< 4.7.19+dfsg-1+deb9u1wordpress_4.7.19+dfsg-1+deb9u1_all.deb
Debian9allwordpress-theme-twentyfifteen< 4.7.19+dfsg-1+deb9u1wordpress-theme-twentyfifteen_4.7.19+dfsg-1+deb9u1_all.deb
Debian10allwordpress-l10n< 5.0.11+dfsg1-0+deb10u1wordpress-l10n_5.0.11+dfsg1-0+deb10u1_all.deb
Debian10allwordpress-theme-twentysixteen< 5.0.11+dfsg1-0+deb10u1wordpress-theme-twentysixteen_5.0.11+dfsg1-0+deb10u1_all.deb
Debian10allwordpress< 5.0.11+dfsg1-0+deb10u1wordpress_5.0.11+dfsg1-0+deb10u1_all.deb
Debian10allwordpress-theme-twentynineteen< 5.0.11+dfsg1-0+deb10u1wordpress-theme-twentynineteen_5.0.11+dfsg1-0+deb10u1_all.deb

Related

osv 30
nessus 6
debian 2
fedora 3
archlinux 1
wpvulndb 8
debiancve 9
ubuntucve 9
prion 9
redhatcve 1
patchstack 7
cve 9
veracode 10
github 1
friendsofphp 1
osv
osv
wordpress - security update
2020-11-03 00:00:00
wordpress - security update
2020-11-06 00:00:00
BIT-wordpress-multisite-2020-28039
2024-03-06 11:11:14
nessus
nessus
Fedora 32 : wordpress (2020-b386fac43a)
2020-11-12 00:00:00
Fedora 31 : wordpress (2020-15e15c35da)
2020-11-12 00:00:00
Fedora 33 : wordpress (2020-a764b11b52)
2020-11-12 00:00:00
debian
debian
[SECURITY] [DSA 4784-1] wordpress security update
2020-11-06 13:39:18
[SECURITY] [DSA 4784-1] wordpress security update
2020-11-06 13:39:18
fedora
fedora
[SECURITY] Fedora 32 Update: wordpress-5.5.3-1.fc32
2020-11-11 01:21:28
[SECURITY] Fedora 33 Update: wordpress-5.5.3-1.fc33
2020-11-11 01:20:58
[SECURITY] Fedora 31 Update: wordpress-5.5.3-1.fc31
2020-11-11 01:32:19
archlinux
archlinux
[ASA-202011-3] wordpress: multiple issues
2020-11-03 00:00:00
wpvulndb
wpvulndb
WordPress < 5.5.2 - XML-RPC Privilege Escalation
2020-10-29 00:00:00
WordPress < 5.5.2 - Unauthenticated DoS Attack to RCE
2020-10-29 00:00:00
WordPress < 5.5.2 - Disable Spam Embeds from Disabled Sites on a Multisite Network
2020-10-29 00:00:00
debiancve
debiancve
CVE-2020-28037
2020-11-02 21:15:00
CVE-2020-28034
2020-11-02 21:15:00
CVE-2020-28033
2020-11-02 21:15:00
ubuntucve
ubuntucve
CVE-2020-28035
2020-11-02 00:00:00
CVE-2020-28037
2020-11-02 00:00:00
CVE-2020-28040
2020-11-02 00:00:00
prion
prion
Arbitrary file deletion
2020-11-02 21:15:00
Cross site scripting
2020-11-02 21:15:00
Design/Logic Flaw
2020-11-02 21:15:00
redhatcve
redhatcve
CVE-2020-28036
2022-05-20 22:36:00
patchstack
patchstack
WordPress <= 5.5.1 - Mishandled deserialization requests vulnerability
2020-10-29 00:00:00
WordPress <= 5.5.1 - Mishandling Embeds From Disabled Sites On a Multisite Network vulnerability
2020-10-29 00:00:00
WordPress <= 5.5.1 - Cross-Site Request Forgery (CSRF) vulnerability
2020-10-29 00:00:00
cve
cve
CVE-2020-28035
2020-11-02 21:15:00
CVE-2020-28036
2020-11-02 21:15:00
CVE-2020-28034
2020-11-02 21:15:00
veracode
veracode
Insecure Spam Embeds
2020-11-03 08:45:48
Cross-site Scripting (XSS)
2020-11-03 07:36:19
Privilege Escalation
2020-11-03 06:23:45
github
github
Insecure Deserialization of untrusted data in rmccue/requests
2021-04-29 21:52:30
friendsofphp
friendsofphp
Insecure Deserialization of untrusted data
2020-11-03 08:51:20

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.026 Low

EPSS

Percentile

90.1%

JSON
Related for DEBIAN:DLA-2429-1:2CED7
osv30nessus6debian2fedora3archlinux1wpvulndb8debiancve9ubuntucve9prion9redhatcve1patchstack7cve9veracode10github1friendsofphp1