CVE-2017-17091

Опубликовано: 02 дек. 2017

Источник: nvd

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string.

Ссылки

http://www.securityfocus.com/bid/102024
Third Party Advisory
VDB Entry
https://codex.wordpress.org/Version_4.9.1
Patch
Release Notes
https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
Patch
https://lists.debian.org/debian-lts-announce/2017/12/msg00019.html
https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Release Notes
https://wpvulndb.com/vulnerabilities/8969
Third Party Advisory
VDB Entry
https://www.debian.org/security/2018/dsa-4090
http://www.securityfocus.com/bid/102024
Third Party Advisory
VDB Entry
https://codex.wordpress.org/Version_4.9.1
Patch
Release Notes
https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
Patch
https://lists.debian.org/debian-lts-announce/2017/12/msg00019.html
https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Release Notes
https://wpvulndb.com/vulnerabilities/8969
Third Party Advisory
VDB Entry
https://www.debian.org/security/2018/dsa-4090

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*

Версия до 4.9 (включая)

EPSS

Процентиль: 89%

0.04891

Низкий

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-330

Связанные уязвимости

CVE-2017-17091

CVSS3: 8.8

ubuntu

больше 7 лет назад

CVE-2017-17091

CVSS3: 8.8

debian

больше 7 лет назад

wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser k ...

GHSA-9xr7-2f3f-frc6

CVSS3: 8.8

github

около 3 лет назад

EPSS

Процентиль: 89%

0.04891

Низкий

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-330