CVE-2019-20042

Опубликовано: 27 дек. 2019

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

Ссылки

https://blog.ripstech.com/filter/vulnerabilities/
Not Applicable
https://core.trac.wordpress.org/changeset/46894/trunk
Patch
https://github.com/WordPress/wordpress-develop/commit/1f7f3f1f59567e2504f0fbebd51ccf004b3ccb1d
Patch
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xvg2-m2f4-83m7
Third Party Advisory
https://hackerone.com/reports/509930
Third Party Advisory
https://seclists.org/bugtraq/2020/Jan/8
Mailing List
Third Party Advisory
https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
Release Notes
Vendor Advisory
https://wpvulndb.com/vulnerabilities/9975
Release Notes
Third Party Advisory
https://www.debian.org/security/2020/dsa-4599
Third Party Advisory
https://www.debian.org/security/2020/dsa-4677
Third Party Advisory
https://blog.ripstech.com/filter/vulnerabilities/
Not Applicable
https://core.trac.wordpress.org/changeset/46894/trunk
Patch
https://github.com/WordPress/wordpress-develop/commit/1f7f3f1f59567e2504f0fbebd51ccf004b3ccb1d
Patch
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xvg2-m2f4-83m7
Third Party Advisory
https://hackerone.com/reports/509930
Third Party Advisory
https://seclists.org/bugtraq/2020/Jan/8
Mailing List
Third Party Advisory
https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
Release Notes
Vendor Advisory
https://wpvulndb.com/vulnerabilities/9975
Release Notes
Third Party Advisory
https://www.debian.org/security/2020/dsa-4599
Third Party Advisory
https://www.debian.org/security/2020/dsa-4677
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*

Версия от 3.7 (включая) до 5.3.1 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

EPSS

Процентиль: 90%

0.06245

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

CVE-2019-20042

CVSS3: 6.1

ubuntu

больше 5 лет назад

CVE-2019-20042

CVSS3: 6.1

debian

больше 5 лет назад

In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function ...

GHSA-xgvp-37rp-x96c

CVSS3: 6.1

github

около 3 лет назад

WordPress before 5.3.1 allowed an attacker to create a cross-site scripting attack (XSS) in well crafted links, because of an insufficient protection mechanism in wp_targeted_link_rel in wp-includes/formatting.php.

BDU:2020-01952

CVSS3: 4.7

fstec

почти 6 лет назад

Уязвимость функции wp_targeted_link_rel() системы управления содержимым сайта WordPress, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю оказать воздействие на целостность данных

EPSS

Процентиль: 90%

0.06245

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79