Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 12 Sep 2017 20:26:40 +0200
From: Salvatore Bonaccorso <>
To: OSS Security Mailinglist <>
Subject: Shibboleth plugin for WordPress: CVE-2017-14313: XSS vulnerability
 due to improper use of add_query_arg()


MITRE has assigned CVE-2017-14313 for the following cross-site
scripting vulnerability in the Shibboleth plugin for Wordpress, caused
due improper use of add_query_arg(), found in the
shibboleth_login_form function in shibboleth.php.

Decided to still forward the assignment here to the list even as
Dominic mentioned the issue was long known already, but apparently at
least never reported in Debian.

Only now a CVE was requested, triggered by the bugreport in Debian:

Upstream fix (contained in 1.8):


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.