| CVE-2017-9063 |
|
发布时间 :2017-05-18 10:29:00 | ||
| 修订时间 :2017-11-03 21:29:55 | ||||
| NMP |
[原文]In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session.
[CNNVD]CNNVD数据暂缺。
[机译]译文暂缺.
- CVSS (基础分值)
| CVSS分值: | 4.3 | [中等(MEDIUM)] |
| 机密性影响: | NONE | [对系统的机密性无影响] |
| 完整性影响: | PARTIAL | [可能会导致系统文件被修改] |
| 可用性影响: | NONE | [对系统可用性无影响] |
| 攻击复杂度: | MEDIUM | [漏洞利用存在一定的访问条件] |
| 攻击向量: | NETWORK | [攻击者不需要获取内网访问权或本地访问权] |
| 身份认证: | NONE | [漏洞利用无需身份认证] |
- CWE (弱点类目)
| CWE-79 | [在Web页面生成时对输入的转义处理不恰当(跨站脚本)] |
- CPE (受影响的平台与产品)
| 产品及版本信息(CPE)暂不可用 |
- OVAL (用于检测的技术细节)
| 未找到相关OVAL定义 |
- 官方数据库链接
| http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9063 (官方数据源) MITRE |
| http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9063 (官方数据源) NVD |
- 其它链接及资源
|
http://www.debian.org/security/2017/dsa-3870 (UNKNOWN) DEBIAN DSA-3870 |
|
http://www.securityfocus.com/bid/98509 (VENDOR_ADVISORY) BID 98509 |
|
http://www.securitytracker.com/id/1038520 (UNKNOWN) SECTRACK 1038520 |
|
https://codex.wordpress.org/Version_4.7.5 (PATCH) CONFIRM https://codex.wordpress.org/Version_4.7.5 |
|
https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3 (PATCH) CONFIRM https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3 |
|
https://wordpress.org/news/2017/05/wordpress-4-7-5/ (VENDOR_ADVISORY) CONFIRM https://wordpress.org/news/2017/05/wordpress-4-7-5/ |
|
https://wpvulndb.com/vulnerabilities/8820 (UNKNOWN) MISC https://wpvulndb.com/vulnerabilities/8820 |
- 漏洞信息 (F142776)
| Debian Security Advisory 3870-1 (PacketStormID:F142776) |
| 2017-06-01 00:00:00 |
| Debian debian.org |
| advisory,remote,web,vulnerability,xss,csrf |
| linux,debian |
| CVE-2017-8295,CVE-2017-9061,CVE-2017-9062,CVE-2017-9063,CVE-2017-9064,CVE-2017-9065 |
| [点击下载] |
|
Debian Linux Security Advisory 3870-1 - Several vulnerabilities were discovered in wordpress, a web blogging tool. They would allow remote attackers to force password resets, and perform various cross-site scripting and cross-site request forgery attacks. |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3870-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
June 01, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : wordpress
CVE ID : CVE-2017-8295 CVE-2017-9061 CVE-2017-9062 CVE-2017-9063
CVE-2017-9064 CVE-2017-9065
Debian Bug : 862053 862816
Several vulnerabilities were discovered in wordpress, a web blogging
tool. They would allow remote attackers to force password resets, and
perform various cross-site scripting and cross-site request forgery
attacks.
For the stable distribution (jessie), these problems have been fixed in
version 4.1+dfsg-1+deb8u13.
For the upcoming stable (stretch) and unstable (sid) distributions,
these problems have been fixed in version 4.7.5+dfsg-1.
We recommend that you upgrade your wordpress packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAlkvpGwACgkQEL6Jg/PV
nWQkLAgAmoAZZuY1ZY64nBpuZAA+su3YIkX0a9c0HZRv1FkPuACQhCNUjjVeLhRp
gxvq5sxOFaiv0fjT4bm07yUXDbGA0jnN5yADC9A7qLDl44c7bvm8TShAJL+W4Ju9
CccAYnJglPreCKbQajnQGCRaSRDZfouV8woT9qrYHuDYqBf1W3xaJJiAYAe2jxFm
RavqRkbbLBwAQxxNuETTvFWejf41vWW3DIGdEEWuopgz9qlINL8WUtldutQ0dGOt
+bDpfeCaS5VTvQWGKovWqioH2c10WNvVPLHMukuEjN2/xOXC2n5kchbmPSq3Pk6U
ffMwHsIlvGvvEHOXe45rOp102/JWoQ==
=bhTB
-----END PGP SIGNATURE-----
设计是一个发现问题,而不是发现解决方案的过程。