Operating System:

[Debian]

Published:

02 July 2020

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2020.2279 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2279
                         wordpress security update
                                2 July 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           wordpress
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Increased Privileges -- Existing Account
                   Cross-site Scripting -- Existing Account
                   Unauthorised Access  -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-4050 CVE-2020-4049 CVE-2020-4048
                   CVE-2020-4047 CVE-2020-4046 

Reference:         ESB-2020.2188

Original Bulletin: 
   https://www.debian.org/security/2020/dsa-4709

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : wordpress
Version        : 4.1.31+dfsg-0+deb8u1
CVE ID         : CVE-2020-4046 CVE-2020-4047 CVE-2020-4048
                 CVE-2020-4049 CVE-2020-4050
Debian Bug     : 962685


Several vulnerabilities were discovered in Wordpress, a web
blogging tool. They allowed remote attackers to perform
various Cross-Side Scripting (XSS) attacks, create open
redirects, escalate privileges, and bypass authorization
access.

CVE-2020-4046

    In affected versions of WordPress, users with low
    privileges (like contributors and authors) can use the
    embed block in a certain way to inject unfiltered HTML
    in the block editor. When affected posts are viewed by a
    higher privileged user, this could lead to script
    execution in the editor/wp-admin.

CVE-2020-4047

    In affected versions of WordPress, authenticated users with
    upload permissions (like authors) are able to inject
    JavaScript into some media file attachment pages in a certain
    way. This can lead to script execution in the context of a
    higher privileged user when the file is viewed by them.

CVE-2020-4048

    In affected versions of WordPress, due to an issue in
    wp_validate_redirect() and URL sanitization, an arbitrary
    external link can be crafted leading to unintended/open
    redirect when clicked.

CVE-2020-4049

    In affected versions of WordPress, when uploading themes, the
    name of the theme folder can be crafted in a way that could
    lead to JavaScript execution in /wp-admin on the themes page.
    This does require an admin to upload the theme, and is low
    severity self-XSS.

CVE-2020-4050

    In affected versions of WordPress, misuse of the
    `set-screen-option` filter's return value allows arbitrary
    user meta fields to be saved. It does require an admin to
    install a plugin that would misuse the filter. Once installed,
    it can be leveraged by low privileged users.

For Debian 8 "Jessie", these problems have been fixed in version
4.1.31+dfsg-0+deb8u1.

We recommend that you upgrade your wordpress packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl78gFkACgkQgj6WdgbD
S5bzWQ//d3mbBTVlWczRLscTmlk2tqfdwKVXqhTrDHxUxEil01K2itZlfYxy7ahE
nZZUQc9QtEDxUPOdtwn3Ahkf6xJNU0de/QTYBSTJ03udFXfCDYCWEMlMc7tZi4vf
DZDWqv8/WiUzTj23AN7IwIpU3vl6HeSLO3BLKMijdSH9NUSu63Mtv0qkICHuVw4U
ScFesYL4bz+5DwxIMD7US/qShz0K0LXb1IIDIXmmWOPUD+IOtXv24WawOOhlOWK9
XdPBqR54+/ln2A1jm3JQ07mQwUuwZrmDqWWAfCD8ueybAjbbGlUuWlHg6p3abkpa
ZCpLMQSBGQZ1cjSNkR+qRHzBlMRayypAmDnyKcggo5xygnKsaEVRBlqTpWzp41iL
17AQvkhvxBIw9M4A6BePHNkBnaoEUeSlnTa2nFKEE76dsbvpvFRPmPse/hqvAD8W
1ZUt17ZLTfRkOXF+2js37UiXDMuPJaaLitUoGk1thkZq0qbsj6l3DLBqr9xWpOsU
fbGkezloJ/bYUskT0/wKzqfJcbHlniwb29m7f8xKSbTZQ2umG2JO7fy4GA09wF4q
nW/gGIo326YMCU54bp+3vTNrmF41yoPojDHC7W5BiQ+U0WJq5E122EZ4ysVOsa7a
cgteHs7xkSkO+5Wbe2u2AA6brOjh92aSc0edNcYBzTUZ/Yq69y8=
=c6Gi
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXv1ViONLKJtyKPYoAQgELBAAqNlBQn90hT8fA6PW77/9IGvswPGCfRCq
5qn7SD7ByroA7FDH4nChFPurABPrc3aADQFiNRl4wP7J4wyfm7nUSOcpXP70H7Bg
VyZbATszK6mHBLizr8hMd68WPlHeD3MCkrpMSZzAThlj3ZGned5dRC+HMcmD43sc
b0dGYI+uQKKJ0LH+F/+Prufvt7t2wboCXvWmGwuSBg5P36F/dZmis+Pj0aMqwf1p
U5CXzsWH/imfm5EKy2h4gTE/+z9j+6tbusPtWYORfDc0oDBtiTuJ78qyJolzlwgB
h/+CnwR8ip/cpHmFrLpa70E6fVkxeZ3TSLlx9FyuoINis5mT0vPRjA2Kh9C3mDSO
0pfJyU4+YxCM+pIjpsNQhMfJz5jkW+IDSOO6ATKaG5+bxSEefZRc6SnhTfyIs6nR
mwANBD33vc65BW4QMCh8PX6jsBZ96vMv1IV6WBYzvWgMC0o6gXrzFECsd/4KiJG4
ABWzSS3a3sAMYMbLohbex+/ZI+G08HTDPZsDS3aDJloP4O5yDXR94Zje9aYZ9bQu
h0tlGZFg82ey1E5qNU8IPogCHZpvdI4KFJedObZXInNqTWY82v1C57lrQmV1xin2
7wxi8Fz3KY69AB2hn4UM4m6D0Gmmmvi2V3svsGBsuPy7tdPZ96mhaaBtMcI6MMNh
FCq/dWKGXVo=
=pLs0
-----END PGP SIGNATURE-----