MGASA-2013-0285

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2013-0285.html

Import Source

https://advisories.mageia.org/MGASA-2013-0285.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2013-0285

Related

Published

2013-09-19T09:45:04Z

Modified

2013-09-19T09:44:59Z

Summary

Updated wordpress and php-phpmailer packages fix security vulnerabilities

Details

wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations (CVE-2013-4338).

WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string (CVE-2013-4339).

wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter (CVE-2013-4340).

The getallowedmimetypes function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfilteredhtml capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file (CVE-2013-5738).

The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the getallowedmime_types function in wp-includes/functions.php (CVE-2013-5739).

Additionally, php-phpmailer has been updated to a newer version required by the updated wordpress.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:2 / wordpress

Package

Name: wordpress
Purl: pkg:rpm/mageia/wordpress?distro=mageia-2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.6.1-1.mga2

Ecosystem specific

{
    "section": "core"
}

Mageia:2 / php-phpmailer

Package

Name: php-phpmailer
Purl: pkg:rpm/mageia/php-phpmailer?distro=mageia-2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.2.7-0.20130917.1.mga2

Ecosystem specific

{
    "section": "core"
}

Mageia:3 / wordpress

Package

Name: wordpress
Purl: pkg:rpm/mageia/wordpress?distro=mageia-3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.6.1-1.mga3

Ecosystem specific

{
    "section": "core"
}

Mageia:3 / php-phpmailer

Package

Name: php-phpmailer
Purl: pkg:rpm/mageia/php-phpmailer?distro=mageia-3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.2.7-0.20130917.1.mga3

Ecosystem specific

{
    "section": "core"
}