oss-security - CVE Request -- WordPress (3,4.2): CSRF in the incoming links section of the dashboard

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Tue, 25 Sep 2012 08:46:31 -0400 (EDT)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
Cc: oss-security@...ts.openwall.com,
        WordPress Security Team <security@...dpress.org>,
        Matej Cepl <mcepl@...hat.com>
Subject: CVE Request -- WordPress (3,4.2): CSRF in the incoming links
 section of the dashboard

Hello Kurt, Steve, WordPress Security Team, vendors,

  an anonymous researcher called 'Akastep' has reported
and CSRF flaw being present in the way WordPress of version
v3.4.2 and earlier used to process incoming links section /
widget of the dashboard.

References:

[1] http://packetstormsecurity.org/files/116785/WordPress-3.4.2-Cross-Site-Request-Forgery.html
[2] https://bugzilla.redhat.com/show_bug.cgi?id=860261
[3] https://bugs.gentoo.org/show_bug.cgi?id=436198
[4] https://secunia.com/advisories/50715/

AFAIK there is not an upstream ticket and patch for this issue
yet (but might have overlooked something pretty obvious - WordPress
upstream please clarify).

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.