CPANSA-Yukki-2016-4566-plupload: Yukki vulnerability

Publisher	giterlizzi	Document category	csaf_security_advisory
Initial release date	2016-05-22T00:00:00	Engine	CSAF Perl Toolkit 0.25
Current release date	2016-05-22T00:00:00	Build Date
Current version	1	Status	final
CVSS v3.1 Base Score	6.1	Severity	Medium
Original language		Language	en
Also referred to

Vulnerability Description

Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack.

Vulnerabilities

CVE-2016-4566

Vulnerability Description

Weakness	CWE-79 : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Known affected

Product

Score

Yukki greater than or equal 0.121700 and less than or equal 0.140290

CVSS Version	CVSS Vector	CVSS Base Score	CVSS Base Severity
3.0	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	6.1	Medium
2.0	AV:N/AC:M/Au:N/C:N/I:P/A:N	4.3	Medium

giterlizzi

Namespace: https://github.com/giterlizzi/

gdt@cpan.org

References

CPANSA-Yukki-2016-4566-plupload JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2016/cpansa-yukki-2016-4566-plupload.json
http://www.plupload.com/punbb/viewtopic.php?pid=28690 external
http://www.plupload.com/punbb/viewtopic.php?pid=28690
https://wordpress.org/news/2016/05/wordpress-4-5-2/ external
https://wordpress.org/news/2016/05/wordpress-4-5-2/
http://www.openwall.com/lists/oss-security/2016/05/07/2 external
http://www.openwall.com/lists/oss-security/2016/05/07/2
https://codex.wordpress.org/Version_4.5.2 external
https://codex.wordpress.org/Version_4.5.2
https://core.trac.wordpress.org/changeset/37382/ external
https://core.trac.wordpress.org/changeset/37382/
https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e external
https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e
https://wpvulndb.com/vulnerabilities/8489 external
https://wpvulndb.com/vulnerabilities/8489
http://www.securitytracker.com/id/1035818 external
http://www.securitytracker.com/id/1035818
CVE-2016-4566 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2016-4566

Revision history

Version	Date of the revision	Summary of the revision
1	Sun May 22 00:00:00 2016	First release

Sharing rules

TLP:WHITE
For the TLP version see: https://www.first.org/tlp/