CVE-2020-11025

In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

References

Affected packages

Git

github.com/python-pillow/pillow

Affected ranges

Type: GIT
Repo: https://github.com/python-pillow/pillow
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f38f01bbe3a0a9f49ce592c86ff20c01c9655133

Affected versions

1.*

1.0

1.2

1.7.6

1.7.7

1.7.8

2.*

2.0.0

2.1.0

2.2.0

2.2.1

2.2.2

2.3.0

2.5.0

2.6.0

2.6.0-rc1

2.7.0

2.8.0

2.8.1

2.9.0

2.9.0.dev0

2.9.0.dev1

2.9.0.dev2

3.*

3.0.0

3.1.0

3.1.0-rc1

3.2.0

3.3.0

3.3.1

3.4.0

4.*

4.0.0

4.0.0a

4.1.0

4.2.0

4.3.0

5.*

5.0.0

5.1.0

5.2.0

5.3.0

5.4.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-11025.json"

github.com/wordpress/wordpress

Affected ranges

Type: GIT
Repo: https://github.com/wordpress/wordpress
Events: Introduced

14247ee4302378d292863865c643abe99bbfe3c7

Fixed

f834e179019627f6faa9d807fbe038c28aee253f

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-11025.json"

github.com/wordpress/wordpress-develop

Affected ranges

Type: GIT
Repo: https://github.com/wordpress/wordpress-develop
Events: Introduced

efa83f48bd4ebd066e5efc94b9feefe50e7925a2

Fixed

a0d1613a046f8ce197103d3b872ea7b706dfa6fd

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-11025.json"