Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2279 wordpress security update 2 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: wordpress Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Increased Privileges -- Existing Account Cross-site Scripting -- Existing Account Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-4050 CVE-2020-4049 CVE-2020-4048 CVE-2020-4047 CVE-2020-4046 Reference: ESB-2020.2188 Original Bulletin: https://www.debian.org/security/2020/dsa-4709 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : wordpress Version : 4.1.31+dfsg-0+deb8u1 CVE ID : CVE-2020-4046 CVE-2020-4047 CVE-2020-4048 CVE-2020-4049 CVE-2020-4050 Debian Bug : 962685 Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting (XSS) attacks, create open redirects, escalate privileges, and bypass authorization access. CVE-2020-4046 In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. CVE-2020-4047 In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. CVE-2020-4048 In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. CVE-2020-4049 In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. CVE-2020-4050 In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. For Debian 8 "Jessie", these problems have been fixed in version 4.1.31+dfsg-0+deb8u1. We recommend that you upgrade your wordpress packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl78gFkACgkQgj6WdgbD S5bzWQ//d3mbBTVlWczRLscTmlk2tqfdwKVXqhTrDHxUxEil01K2itZlfYxy7ahE nZZUQc9QtEDxUPOdtwn3Ahkf6xJNU0de/QTYBSTJ03udFXfCDYCWEMlMc7tZi4vf DZDWqv8/WiUzTj23AN7IwIpU3vl6HeSLO3BLKMijdSH9NUSu63Mtv0qkICHuVw4U ScFesYL4bz+5DwxIMD7US/qShz0K0LXb1IIDIXmmWOPUD+IOtXv24WawOOhlOWK9 XdPBqR54+/ln2A1jm3JQ07mQwUuwZrmDqWWAfCD8ueybAjbbGlUuWlHg6p3abkpa ZCpLMQSBGQZ1cjSNkR+qRHzBlMRayypAmDnyKcggo5xygnKsaEVRBlqTpWzp41iL 17AQvkhvxBIw9M4A6BePHNkBnaoEUeSlnTa2nFKEE76dsbvpvFRPmPse/hqvAD8W 1ZUt17ZLTfRkOXF+2js37UiXDMuPJaaLitUoGk1thkZq0qbsj6l3DLBqr9xWpOsU fbGkezloJ/bYUskT0/wKzqfJcbHlniwb29m7f8xKSbTZQ2umG2JO7fy4GA09wF4q nW/gGIo326YMCU54bp+3vTNrmF41yoPojDHC7W5BiQ+U0WJq5E122EZ4ysVOsa7a cgteHs7xkSkO+5Wbe2u2AA6brOjh92aSc0edNcYBzTUZ/Yq69y8= =c6Gi - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXv1ViONLKJtyKPYoAQgELBAAqNlBQn90hT8fA6PW77/9IGvswPGCfRCq 5qn7SD7ByroA7FDH4nChFPurABPrc3aADQFiNRl4wP7J4wyfm7nUSOcpXP70H7Bg VyZbATszK6mHBLizr8hMd68WPlHeD3MCkrpMSZzAThlj3ZGned5dRC+HMcmD43sc b0dGYI+uQKKJ0LH+F/+Prufvt7t2wboCXvWmGwuSBg5P36F/dZmis+Pj0aMqwf1p U5CXzsWH/imfm5EKy2h4gTE/+z9j+6tbusPtWYORfDc0oDBtiTuJ78qyJolzlwgB h/+CnwR8ip/cpHmFrLpa70E6fVkxeZ3TSLlx9FyuoINis5mT0vPRjA2Kh9C3mDSO 0pfJyU4+YxCM+pIjpsNQhMfJz5jkW+IDSOO6ATKaG5+bxSEefZRc6SnhTfyIs6nR mwANBD33vc65BW4QMCh8PX6jsBZ96vMv1IV6WBYzvWgMC0o6gXrzFECsd/4KiJG4 ABWzSS3a3sAMYMbLohbex+/ZI+G08HTDPZsDS3aDJloP4O5yDXR94Zje9aYZ9bQu h0tlGZFg82ey1E5qNU8IPogCHZpvdI4KFJedObZXInNqTWY82v1C57lrQmV1xin2 7wxi8Fz3KY69AB2hn4UM4m6D0Gmmmvi2V3svsGBsuPy7tdPZ96mhaaBtMcI6MMNh FCq/dWKGXVo= =pLs0 -----END PGP SIGNATURE-----