FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  566519
Date:      2021-02-25
Time:      02:33:09Z
Committer: philip

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
4b98613c-0078-11e9-b05b-00e04c1ea73dwordpress -- multiple issues

wordpress developers reports:

WordPress versions 5.0 and earlier are affected by the following bugs, which are fixed in version 5.0.1. Updated versions of WordPress 4.9 and older releases are also available, for users who have not yet updated to 5.0.

Karim El Ouerghemmi discovered that authors could alter meta data to delete files that they weren’t authorized to.

Simon Scannell of RIPS Technologies discovered that authors could create posts of unauthorized post types with specially crafted input.

Sam Thomas discovered that contributors could craft meta data in a way that resulted in PHP object injection.

Tim Coen discovered that contributors could edit new comments from higher-privileged users, potentially leading to a cross-site scripting vulnerability.

Tim Coen also discovered that specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances. WordPress itself was not affected, but plugins could be in some situations.

Team Yoast discovered that the user activation screen could be indexed by search engines in some uncommon configurations, leading to exposure of email addresses, and in some rare cases, default generated passwords.

Tim Coen and Slavco discovered that authors on Apache-hosted sites could upload specifically crafted files that bypass MIME verification, leading to a cross-site scripting vulnerability.


Discovery 2018-12-13
Entry 2018-12-15
wordpress
fr-wordpress
lt 5.0.1,1

de-wordpress
zh_CN-wordpress
zh_TW-wordpress
ja-wordpress
ru-wordpress
lt 5.0.1

https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
8a9f86de-d080-11e9-9051-4c72b94353b5wordpress -- multiple issues

wordpress developers reports:

Props to Simon Scannell of RIPS Technologies for finding and disclosing two issues. The first, a cross-site scripting (XSS) vulnerability found in post previews by contributors. The second was a cross-site scripting vulnerability in stored comments.

Props to Tim Coen for disclosing an issue where validation and sanitization of a URL could lead to an open redirect.

Props to Anshul Jain for disclosing reflected cross-site scripting during media uploads.

Props to Zhouyuan Yang of Fortinets FortiGuard Labs who disclosed a vulnerability for cross-site scripting (XSS) in shortcode previews.

Props to Ian Dunn of the Core Security Team for finding and disclosing a case where reflected cross-site scripting could be found in the dashboard.

Props to Soroush Dalilifrom NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting (XSS) attacks.

In addition to the above changes, we are also updating jQuery on older versions of WordPress. This change was added in 5.2.1 and is now being brought to older versions.


Discovery 2019-09-05
Entry 2019-09-06
wordpress
fr-wordpress
lt 5.2.3,1

de-wordpress
zh_CN-wordpress
zh_TW-wordpress
ja-wordpress
ru-wordpress
lt 5.2.3

https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
459df1ba-051c-11ea-9673-4c72b94353b5wordpress -- multiple issues

wordpress developers reports:

Props to Evan Ricafort for finding an issue where stored XSS (cross-site scripting) could be added via the Customizer.

rops to J.D. Grimes who found and disclosed a method of viewing unauthenticated posts.

Props to Weston Ruter for finding a way to create a stored XSS to inject Javascript into style tags.

rops to David Newman for highlighting a method to poison the cache of JSON GET requests via the Vary: Origin header.

Props to Eugene Kolodenker who found a server-side request forgery in the way that URLs are validated.

Props to Ben Bidner of the WordPress Security Team who discovered issues related to referrer validation in the admin.


Discovery 2019-10-14
Entry 2019-11-12
wordpress
fr-wordpress
lt 5.2.4,1

de-wordpress
zh_CN-wordpress
zh_TW-wordpress
ja-wordpress
ru-wordpress
lt 5.2.4

https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
4740174c-82bb-11e8-a29a-00e04c1ea73dwordpress -- multiple issues

wordpressdevelopers reports:

Taxonomy: Improve cache handling for term queries.

Posts, Post Types: Clear post password cookie when logging out.

Widgets: Allow basic HTML tags in sidebar descriptions on Widgets admin screen.

Community Events Dashboard: Always show the nearest WordCamp if one is coming up, even if there are multiple Meetups happening first.

Privacy: Make sure default privacy policy content does not cause a fatal error when flushing rewrite rules outside of the admin context.


Discovery 2018-07-05
Entry 2018-07-08
wordpress
fr-wordpress
lt 4.9.7,1

de-wordpress
zh_CN-wordpress
zh_TW-wordpress
ja-wordpress
ru-wordpress
lt 4.9.7

https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/
a2589511-d6ba-11e7-88dd-00e04c1ea73dwordpress -- multiple issues

wordpress developers reports:

Use a properly generated hash for the newbloguser key instead of a determinate substring.

Add escaping to the language attributes used on html elements.

Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.

Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability.


Discovery 2017-11-29
Entry 2017-12-01
wordpress
fr-wordpress
lt 4.9.1,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
lt 4.9.1

https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
7b97b32e-27c4-11ea-9673-4c72b94353b5wordpress -- multiple issues

wordpress developers reports:

Four security issues affect WordPress versions 5.3 and earlier; version 5.3.1 fixes them, so youll want to upgrade. If you havent yet updated to 5.3, there are also updated versions of 5.2 and earlier that fix the security issues. -Props to Daniel Bachhuber for finding an issue where an unprivileged user could make a post sticky via the REST API. -Props to Simon Scannell of RIPS Technologies for finding and disclosing an issue where cross-site scripting (XSS) could be stored in well-crafted links. -Props to the WordPress.org Security Team for hardening wp_kses_bad_protocol() to ensure that it is aware of the named colon attribute. -Props to Nguyen The Duc for discovering a stored XSS vulnerability using block editor content.


Discovery 2019-12-13
Entry 2019-12-26
wordpress
fr-wordpress
lt 5.3.1,1

de-wordpress
zh_CN-wordpress
zh_TW-wordpress
ja-wordpress
ru-wordpress
lt 5.3.1

https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
15ee0e93-4bbb-11e9-9ba0-4c72b94353b5wordpress -- multiple issues

wordpress developers reports:

Hosts can now offer a button for their users to update PHP.

The recommended PHP version used by the Update PHP notice can now be filtered.


Discovery 2019-03-12
Entry 2019-03-21
wordpress
fr-wordpress
lt 5.1.1,1

de-wordpress
zh_CN-wordpress
zh_TW-wordpress
ja-wordpress
ru-wordpress
lt 5.1.1

https://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/
c04dc18f-fcde-11e7-bdf6-00e04c1ea73dwordpress -- multiple issues

wordpress developers reports:

JavaScript errors that prevented saving posts in Firefox have been fixed.

The previous taxonomy-agnostic behavior of get_category_link() and category_description() was restored.

Switching themes will now attempt to restore previous widget assignments, even when there are no sidebars to map.


Discovery 2018-01-16
Entry 2018-01-19
wordpress
fr-wordpress
lt 4.9.2,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
lt 4.9.2

https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
11325357-1d3c-11eb-ab74-4c72b94353b5wordpress -- multiple issues

wordpress developers reports:

Ten security issues affect WordPress versions 5.5.1 and earlier. If you havent yet updated to 5.5, all WordPress versions since 3.7 have also been updated to fix the following security issues: -Props to Alex Concha of the WordPress Security Team for their work in hardening deserialization requests. -Props to David Binovec on a fix to disable spam embeds from disabled sites on a multisite network. -Thanks to Marc Montas from Sucuri for reporting an issue that could lead to XSS from global variables. -Thanks to Justin Tran who reported an issue surrounding privilege escalation in XML-RPC. He also found and disclosed an issue around privilege escalation around post commenting via XML-RPC. -Props to Omar Ganiev who reported a method where a DoS attack could lead to RCE. -Thanks to Karim El Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs. -Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a method to bypass protected meta that could lead to arbitrary file deletion.


Discovery 2020-10-29
Entry 2020-11-02
wordpress
fr-wordpress
lt 5.5.2,1

de-wordpress
zh_CN-wordpress
zh_TW-wordpress
ja-wordpress
ru-wordpress
lt 5.5.2

https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/