Lucene search
GoogleOSV:DSA-3085-1HistoryDec 03, 2014 - 12:00 a.m.
wordpress - security update
2014-12-0300:00:00
Google
osv.dev
9
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
Multiple security issues have been discovered in Wordpress, a web
blogging tool, resulting in denial of service or information disclosure.
More information can be found in the upstream advisory at
- CVE-2014-9031
Jouko Pynnonen discovered an unauthenticated cross site scripting
vulnerability (XSS) in wptexturize(), exploitable via comments or
posts. - CVE-2014-9033
Cross site request forgery (CSRF) vulnerability in the password
changing process, which could be used by an attacker to trick an
user into changing her password. - CVE-2014-9034
Javier Nieto Arevalo and Andres Rojas Guerrero reported a potential
denial of service in the way the phpass library is used to handle
passwords, since no maximum password length was set. - CVE-2014-9035
John Blackbourn reported an XSS in the Press This function (used
for quick publishing using a browser bookmarklet). - CVE-2014-9036
Robert Chapin reported an XSS in the HTML filtering of CSS in posts. - CVE-2014-9037
David Anderson reported a hash comparison vulnerability for
passwords stored using the old-style MD5 scheme. While unlikely,
this could be exploited to compromise an account, if the user had
not logged in after a Wordpress 2.5 update (uploaded to Debian on 2
Apr, 2008) and the password MD5 hash could be collided with due to
PHP dynamic comparison. - CVE-2014-9038
Ben Bidner reported a server side request forgery (SSRF) in the core
HTTP layer which unsufficiently blocked the loopback IP address
space. - CVE-2014-9039
Momen Bassel, Tanoy Bose, and Bojan Slavkovic reported a
vulnerability in the password reset process: an email address change
would not invalidate a previous password reset email.
For the stable distribution (wheezy), these problems have been fixed in
version 3.6.1+dfsg-1~deb7u5.
For the upcoming stable distribution (jessie), these problems have been
fixed in version 4.0.1+dfsg-1.
For the unstable distribution (sid), these problems have been fixed in
version 4.0.1+dfsg-1.
We recommend that you upgrade your wordpress packages.
References
Related
openvas
openvas
Debian Security Advisory DSA 3085-1 (wordpress - security update)
2014-12-03 00:00:00
Debian: Security Advisory (DSA-3085-1)
2014-12-02 00:00:00
Mageia: Security Advisory (MGASA-2014-0493)
2022-01-28 00:00:00
nessus
nessus
Debian DSA-3085-1 : wordpress - security update
2014-12-04 00:00:00
Mandriva Linux Security Advisory : wordpress (MDVSA-2014:233)
2014-11-28 00:00:00
Fedora 20 : wordpress-4.0.1-1.fc20 (2014-15507)
2014-12-03 00:00:00
debian
debian
[SECURITY] [DSA 3085-1] wordpress security update
2014-12-03 08:38:56
[SECURITY] [DLA 236-1] wordpress security update
2015-06-01 12:11:28
securityvulns
securityvulns
[ MDVSA-2014:233 ] wordpress
2014-12-01 00:00:00
WordPress <=4.0 Denial of Service Exploit (CVE-2014-9034)
2014-12-01 00:00:00
mageia
mageia
Updated wordpress package fixes security vulnerabilities
2014-11-26 20:29:06
fedora
fedora
[SECURITY] Fedora 21 Update: wordpress-4.0.1-1.fc21
2014-12-06 10:12:34
[SECURITY] Fedora 20 Update: wordpress-4.0.1-1.fc20
2014-12-03 01:03:45
[SECURITY] Fedora 19 Update: wordpress-4.0.1-1.fc19
2014-12-03 01:05:40
freebsd
freebsd
wordpress -- multiple vulnerabilities
2014-11-25 00:00:00
osv
osv
wordpress - security update
2015-06-01 00:00:00
prion
prion
Cross site scripting
2014-11-25 23:59:00
Cross site scripting
2014-11-25 23:59:00
Design/Logic Flaw
2014-11-25 23:59:00
patchstack
patchstack
WordPress <= 4.0.0 - CSRF
2014-11-20 00:00:00
WordPress <=4.0.1 - Denial of Service Attacks
2014-12-01 00:00:00
WordPress <= 4.0.0 - Multiple Vulnerabilities #2
2014-11-20 00:00:00
debiancve
debiancve
ubuntucve
ubuntucve
veracode
veracode
Denial Of Service(DoS) Via CPU Consumption
2017-08-10 08:10:58
Cross-Site Scripting (XSS)
2017-08-08 08:32:31
cve
cve
zdt
zdt
WordPress 4.0 Denial Of Service Exploit
2014-12-01 00:00:00
wpvulndb
wpvulndb
WordPress <= 4.0 - CSRF in wp-login.php Password Reset
2014-11-25 22:57:27
WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
2014-11-20 19:52:43
WordPress <= 4.0 - Long Password Denial of Service (DoS)
2014-11-20 20:02:12
wpexploit
wpexploit
WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
2014-11-20 19:52:43
packetstorm
packetstorm
WordPress 4.0 Denial Of Service
2014-11-29 00:00:00
Drupal / WordPress Memory Exhaustion
2014-12-01 00:00:00
metasploit
metasploit
WordPress Long Password DoS
2015-01-04 18:50:23
exploitpack
exploitpack
WordPress 4.0 - Denial of Service
2014-12-01 00:00:00
exploitdb
exploitdb
WordPress Core 4.0 - Denial of Service
2014-12-01 00:00:00
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related for OSV:DSA-3085-1