Lucene search

K

[email protected]NVD:CVE-2020-4047

HistoryJun 12, 2020 - 4:15 p.m.

CVE-2020-4047

2020-06-1216:15:10

CWE-80

[email protected]

web.nvd.nist.gov

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

43.5%

In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Affected configurations

NVD

Node

wordpresswordpressRange3.7–3.7.34

OR

wordpresswordpressRange3.8–3.8.34

OR

wordpresswordpressRange3.9–3.9.32

OR

wordpresswordpressRange4.0–4.0.31

OR

wordpresswordpressRange4.1–4.1.31

OR

wordpresswordpressRange4.2–4.2.28

OR

wordpresswordpressRange4.3–4.3.24

OR

wordpresswordpressRange4.4–4.4.23

OR

wordpresswordpressRange4.5–4.5.22

OR

wordpresswordpressRange4.6–4.6.19

OR

wordpresswordpressRange4.7–4.7.18

OR

wordpresswordpressRange4.8–4.8.14

OR

wordpresswordpressRange4.9–4.9.15

OR

wordpresswordpressRange5.0–5.0.10

OR

wordpresswordpressRange5.1–5.1.6

OR

wordpresswordpressRange5.2–5.2.7

OR

wordpresswordpressRange5.3.0–5.3.4

OR

wordpresswordpressRange5.4–5.4.2

Node

fedoraprojectfedoraMatch32

OR

fedoraprojectfedoraMatch33

Node

debiandebian_linuxMatch8.0

OR

debiandebian_linuxMatch9.0

OR

debiandebian_linuxMatch10.0

References

github.com/WordPress/wordpress-develop/commit/0977c0d6b241479ecedfe19e96be69f727c3f81f

github.com/WordPress/wordpress-develop/security/advisories/GHSA-8q2w-5m27-wm27

lists.debian.org/debian-lts-announce/2020/07/msg00000.html

lists.debian.org/debian-lts-announce/2020/09/msg00011.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/773N2ZV7QEMBGKH6FBKI6Q5S3YJMW357/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODNHXVJS25YVWYQHOCICXTLIN5UYJFDN/

wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/

www.debian.org/security/2020/dsa-4709

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

43.5%

Related for NVD:CVE-2020-4047

wpvulndb1 redhatcve1 cvelist1 ubuntucve1 debiancve1 veracode1 prion1 osv6 cve1 nessus6 debian4 openvas7 fedora2