CVE-2024-6307

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-6307
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-6307.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-6307
Aliases
Related
Published
2024-06-25T11:15:50Z
Modified
2024-10-02T21:49:21.899364Z
Severity
  • 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions prior to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

References

Affected packages

Debian:12 / wordpress

Package

Name
wordpress
Purl
pkg:deb/debian/wordpress?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.1.1+dfsg1-1
6.1.6+dfsg1-0+deb12u1
6.2+dfsg1-1
6.2.1+dfsg1-1
6.2.2+dfsg1-1
6.3+dfsg1-1
6.3.1+dfsg1-1
6.3.2+dfsg1-1
6.4.1+dfsg1-1
6.4.1+dfsg1-1.1
6.4.2+dfsg1-1
6.4.3+dfsg1-1
6.5+dfsg1-1
6.5.2+dfsg1-1
6.5.3+dfsg1-1
6.5.5+dfsg1-1
6.6.1+dfsg1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / wordpress

Package

Name
wordpress
Purl
pkg:deb/debian/wordpress?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.5.5+dfsg1-1

Affected versions

6.*

6.1.1+dfsg1-1
6.2+dfsg1-1
6.2.1+dfsg1-1
6.2.2+dfsg1-1
6.3+dfsg1-1
6.3.1+dfsg1-1
6.3.2+dfsg1-1
6.4.1+dfsg1-1
6.4.1+dfsg1-1.1
6.4.2+dfsg1-1
6.4.3+dfsg1-1
6.5+dfsg1-1
6.5.2+dfsg1-1
6.5.3+dfsg1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}