UBUNTU-CVE-2017-14990
- Source
- https://ubuntu.com/security/CVE-2017-14990
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-14990.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2017-14990
- Related
- Published
- 2017-10-03T01:29:00Z
- Modified
- 2025-01-13T10:21:27Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
WordPress 4.8.2 stores cleartext wpsignups.activationkey values (but stores the analogous wpusers.useractivation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability).
- References
Affected packages
Ubuntu:Pro:16.04:LTS / wordpress
Package
- Name
- wordpress
- Purl
- pkg:deb/ubuntu/wordpress@4.4.2+dfsg-1ubuntu1?arch=source&distro=esm-apps/xenial
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ubuntu:18.04:LTS / wordpress
Package
- Name
- wordpress
- Purl
- pkg:deb/ubuntu/wordpress@4.8.2+dfsg-2?arch=source&distro=bionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.8.2+dfsg-2
Ecosystem specific
{
"availability": "No subscription required",
"ubuntu_priority": "low",
"binaries": [
{
"binary_name": "wordpress",
"binary_version": "4.8.2+dfsg-2"
},
{
"binary_name": "wordpress-l10n",
"binary_version": "4.8.2+dfsg-2"
},
{
"binary_name": "wordpress-theme-twentyfifteen",
"binary_version": "4.8.2+dfsg-2"
},
{
"binary_name": "wordpress-theme-twentyseventeen",
"binary_version": "4.8.2+dfsg-2"
},
{
"binary_name": "wordpress-theme-twentysixteen",
"binary_version": "4.8.2+dfsg-2"
}
]
}