CVE-2008-3747

2008-08-2700:00:00

ubuntu.com

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.006

Percentile

77.8%

JSON

The (1) get_edit_post_link and (2) get_edit_comment_link functions in
wp-includes/link-template.php in WordPress before 2.6.1 do not force SSL
communication in the intended situations, which might allow remote
attackers to gain administrative access by sniffing the network for a
cookie.

Bugs

Notes

Author	Note
jdstrand	per upstream via stefanlsd, SSL functionality doesn’t exist before 2.6.0. However, Debian is trying to backport the SSL functionality, believing that lack of SSL is an extension of this CVE. stefanlsd and upstream feel that this approach is dangerous and messy. It has been marked as Won’t Fix in LP, but can be reopened if the Debian patch is viable. Debian patch is included in 2.5.1-6 (broken) and 2.5.1-7

Author

Note

jdstrand

per upstream via stefanlsd, SSL functionality doesn’t exist before 2.6.0. However, Debian is trying to backport the SSL functionality, believing that lack of SSL is an extension of this CVE. stefanlsd and upstream feel that this approach is dangerous and messy. It has been marked as Won’t Fix in LP, but can be reopened if the Debian patch is viable. Debian patch is included in 2.5.1-6 (broken) and 2.5.1-7