CVE-2012-5868

2012-12-2711:47:01

Debian Security Bug Tracker

security-tracker.debian.org

wordpress

session cookie

vulnerability

remote attackers

brute-force

replay attack

unix

CVSS2

2.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:N/A:N

EPSS

0.002

Percentile

64.4%

JSON

WordPress 3.4.2 does not invalidate a wordpress_sec session cookie upon an administrator’s logout action, which makes it easier for remote attackers to discover valid session identifiers via a brute-force attack, or modify data via a replay attack.

OSVersionArchitecturePackageVersionFilename
Debian12allwordpress<= 6.1.6+dfsg1-0+deb12u1wordpress_6.1.6+dfsg1-0+deb12u1_all.deb
Debian11allwordpress<= 5.7.11+dfsg1-0+deb11u1wordpress_5.7.11+dfsg1-0+deb11u1_all.deb
Debian999allwordpress<= 6.6.1+dfsg1-1wordpress_6.6.1+dfsg1-1_all.deb
Debian13allwordpress<= 6.6.1+dfsg1-1wordpress_6.6.1+dfsg1-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	wordpress	<= 6.1.6+dfsg1-0+deb12u1	wordpress_6.1.6+dfsg1-0+deb12u1_all.deb
Debian	11	all	wordpress	<= 5.7.11+dfsg1-0+deb11u1	wordpress_5.7.11+dfsg1-0+deb11u1_all.deb
Debian	999	all	wordpress	<= 6.6.1+dfsg1-1	wordpress_6.6.1+dfsg1-1_all.deb
Debian	13	all	wordpress	<= 6.6.1+dfsg1-1	wordpress_6.6.1+dfsg1-1_all.deb