Detections
Analytics

Mandriva Linux Security Advisory : wordpress (MDVSA-2013:189)

medium Nessus Plugin ID 67134

Language:

Synopsis

The remote Mandriva Linux host is missing a security update.

Description

Updated wordpress package fixes security vulnerabilities :

A denial of service flaw was found in the way Wordpress, a blog tool and publishing platform, performed hash computation when checking password for password protected blog posts. A remote attacker could provide a specially- crafted input that, when processed by the password checking mechanism of Wordpress would lead to excessive CPU consumption (CVE-2013-2173).

Inadequate SSRF protection for HTTP requests where the user can provide a URL can allow for attacks against the intranet and other sites. This is a continuation of work related to CVE-2013-0235, which was specific to SSRF in pingback requests and was fixed in 3.5.1 (CVE-2013-2199).

Inadequate checking of a user's capabilities could allow them to publish posts when their user role should not allow for it; and to assign posts to other authors (CVE-2013-2200).

Inadequate escaping allowed an administrator to trigger a cross-site scripting vulnerability through the uploading of media files and plugins (CVE-2013-2201).

The processing of an oEmbed response is vulnerable to an XXE (CVE-2013-2202).

If the uploads directory is not writable, error message data returned via XHR will include a full path to the directory (CVE-2013-2203).

Content Spoofing in the MoxieCode (TinyMCE) MoxiePlayer project (CVE-2013-2204).

Cross-domain XSS in SWFUpload (CVE-2013-2205).

Solution

Update the affected wordpress package.

See Also

http://advisories.mageia.org/MGASA-2013-0198.html

Plugin Details

Severity: Medium

ID: 67134

File Name: mandriva_MDVSA-2013-189.nasl

Version: 1.11

Type: local

Published: 7/3/2013

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:wordpress, cpe:/o:mandriva:business_server:1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 7/2/2013

Reference Information

CVE: CVE-2013-2173, CVE-2013-2199, CVE-2013-2200, CVE-2013-2201, CVE-2013-2202, CVE-2013-2203, CVE-2013-2204, CVE-2013-2205

BID: 60477, 60757, 60758, 60759, 60770, 60775, 60781, 60825

MDVSA: 2013:189