FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  518000
Date:      2019-11-20
Time:      10:57:40Z
Committer: zeising

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
c04dc18f-fcde-11e7-bdf6-00e04c1ea73dwordpress -- multiple issues

wordpress developers reports:

JavaScript errors that prevented saving posts in Firefox have been fixed.

The previous taxonomy-agnostic behavior of get_category_link() and category_description() was restored.

Switching themes will now attempt to restore previous widget assignments, even when there are no sidebars to map.


Discovery 2018-01-16
Entry 2018-01-19
wordpress
fr-wordpress
lt 4.9.2,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
lt 4.9.2

https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
a5bb7ea0-3e58-11e7-94a2-00e04c1ea73dWordpress -- multiple vulnerabilities

WordPress versions 4.7.4 and earlier are affected by six security issues

  • Insufficient redirect validation in the HTTP class.
  • Improper handling of post meta data values in the XML-RPC API.
  • Lack of capability checks for post meta data in the XML-RPC API.
  • A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog.
  • A cross-site scripting (XSS) vulnerability was discovered related to the Customizer.

Discovery 2017-05-16
Entry 2017-05-21
wordpress
fr-wordpress
lt 4.7.5,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
lt 4.7.5

https://wordpress.org/news/2017/05/wordpress-4-7-5/
fb754341-c3e2-11e5-b5fe-002590263bf5wordpress -- XSS vulnerability

Aaron Jorbin reports:

WordPress 4.4.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.4 and earlier are affected by a cross-site scripting vulnerability that could allow a site to be compromised. This was reported by Crtc4L.


Discovery 2016-01-06
Entry 2016-01-26
Modified 2016-03-08
wordpress
lt 4.4.1,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
lt 4.4.1

CVE-2016-1564
http://www.openwall.com/lists/oss-security/2016/01/08/3
https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
fef03980-e4c6-11e5-b2bd-002590263bf5wordpress -- multiple vulnerabilities

Samuel Sidler reports:

WordPress 4.4.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.4.1 and earlier are affected by two security issues: a possible SSRF for certain local URIs, reported by Ronni Skansing; and an open redirection attack, reported by Shailesh Suthar.


Discovery 2016-02-02
Entry 2016-03-08
wordpress
lt 4.4.2,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
lt 4.4.2

CVE-2016-2221
CVE-2016-2222
http://www.openwall.com/lists/oss-security/2016/02/04/6
https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
8a9f86de-d080-11e9-9051-4c72b94353b5wordpress -- multiple issues

wordpress developers reports:

Props to Simon Scannell of RIPS Technologies for finding and disclosing two issues. The first, a cross-site scripting (XSS) vulnerability found in post previews by contributors. The second was a cross-site scripting vulnerability in stored comments.

Props to Tim Coen for disclosing an issue where validation and sanitization of a URL could lead to an open redirect.

Props to Anshul Jain for disclosing reflected cross-site scripting during media uploads.

Props to Zhouyuan Yang of Fortinets FortiGuard Labs who disclosed a vulnerability for cross-site scripting (XSS) in shortcode previews.

Props to Ian Dunn of the Core Security Team for finding and disclosing a case where reflected cross-site scripting could be found in the dashboard.

Props to Soroush Dalilifrom NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting (XSS) attacks.

In addition to the above changes, we are also updating jQuery on older versions of WordPress. This change was added in 5.2.1 and is now being brought to older versions.


Discovery 2019-09-05
Entry 2019-09-06
wordpress
fr-wordpress
lt 5.2.3,1

de-wordpress
zh_CN-wordpress
zh_TW-wordpress
ja-wordpress
ru-wordpress
lt 5.2.3

https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
4740174c-82bb-11e8-a29a-00e04c1ea73dwordpress -- multiple issues

wordpressdevelopers reports:

Taxonomy: Improve cache handling for term queries.

Posts, Post Types: Clear post password cookie when logging out.

Widgets: Allow basic HTML tags in sidebar descriptions on Widgets admin screen.

Community Events Dashboard: Always show the nearest WordCamp if one is coming up, even if there are multiple Meetups happening first.

Privacy: Make sure default privacy policy content does not cause a fatal error when flushing rewrite rules outside of the admin context.


Discovery 2018-07-05
Entry 2018-07-08
wordpress
fr-wordpress
lt 4.9.7,1

de-wordpress
zh_CN-wordpress
zh_TW-wordpress
ja-wordpress
ru-wordpress
lt 4.9.7

https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/
4b98613c-0078-11e9-b05b-00e04c1ea73dwordpress -- multiple issues

wordpress developers reports:

WordPress versions 5.0 and earlier are affected by the following bugs, which are fixed in version 5.0.1. Updated versions of WordPress 4.9 and older releases are also available, for users who have not yet updated to 5.0.

Karim El Ouerghemmi discovered that authors could alter meta data to delete files that they weren’t authorized to.

Simon Scannell of RIPS Technologies discovered that authors could create posts of unauthorized post types with specially crafted input.

Sam Thomas discovered that contributors could craft meta data in a way that resulted in PHP object injection.

Tim Coen discovered that contributors could edit new comments from higher-privileged users, potentially leading to a cross-site scripting vulnerability.

Tim Coen also discovered that specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances. WordPress itself was not affected, but plugins could be in some situations.

Team Yoast discovered that the user activation screen could be indexed by search engines in some uncommon configurations, leading to exposure of email addresses, and in some rare cases, default generated passwords.

Tim Coen and Slavco discovered that authors on Apache-hosted sites could upload specifically crafted files that bypass MIME verification, leading to a cross-site scripting vulnerability.


Discovery 2018-12-13
Entry 2018-12-15
wordpress
fr-wordpress
lt 5.0.1,1

de-wordpress
zh_CN-wordpress
zh_TW-wordpress
ja-wordpress
ru-wordpress
lt 5.0.1

https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
f4ce64c2-5bd4-11e5-9040-3c970e169bc2wordpress -- multiple vulnerabilities

Samuel Sidler reports:

WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

  • WordPress versions 4.3 and earlier are vulnerable to a cross-site scripting vulnerability when processing shortcode tags (CVE-2015-5714). Reported by Shahar Tal and Netanel Rubin of Check Point.
  • A separate cross-site scripting vulnerability was found in the user list table. Reported by Ben Bidner of the WordPress security team.
  • Finally, in certain cases, users without proper permissions could publish private posts and make them sticky (CVE-2015-5715). Reported by Shahar Tal and Netanel Rubin of Check Point.

Discovery 2015-09-15
Entry 2015-09-15
Modified 2015-10-29
wordpress
lt 4.3.1,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
lt 4.3.1

CVE-2015-5714
CVE-2015-5715
CVE-2015-7989
http://www.openwall.com/lists/oss-security/2015/10/28/1
https://wordpress.org/news/2015/09/wordpress-4-3-1/
14ea4458-e5cd-11e6-b56d-38d547003487wordpress -- multiple vulnerabilities

Aaron D. Campbell reports:

WordPress versions 4.7.1 and earlier are affected by three security issues:

  • The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it.
  • WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability.
  • A cross-site scripting (XSS) vulnerability was discovered in the posts list table.
  • An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint.

Discovery 2017-01-26
Entry 2017-01-29
wordpress
lt 4.7.2,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
lt 4.7.2

CVE-2017-5610
CVE-2017-5611
CVE-2017-5612
http://www.openwall.com/lists/oss-security/2017/01/28/5
https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
https://make.wordpress.org/core/2017/02/01/disclosure-of-additional-security-fix-in-wordpress-4-7-2/
54e50cd9-c1a8-11e6-ae1b-002590263bf5wordpress -- multiple vulnerabilities

Jeremy Felt reports:

WordPress versions 4.6 and earlier are affected by two security issues: a cross-site scripting vulnerability via image filename, reported by SumOfPwn researcher Cengiz Han Sahin; and a path traversal vulnerability in the upgrade package uploader, reported by Dominik Schilling from the WordPress security team.


Discovery 2016-09-07
Entry 2016-12-14
wordpress
lt 4.6.1,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
lt 4.6.1

https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
bfcc23b6-3b27-11e6-8e82-002590263bf5wordpress -- multiple vulnerabilities

Adam Silverstein reports:

WordPress 4.5.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.5.2 and earlier are affected by several security issues: redirect bypass in the customizer, reported by Yassine Aboukir; two different XSS problems via attachment names, reported by Jouko Pynnönenand Divyesh Prajapati; revision history information disclosure, reported independently by John Blackbourn from the WordPress security team and by Dan Moen from the Wordfence Research Team; oEmbed denial of service reported by Jennifer Dodd from Automattic; unauthorized category removal from a post, reported by David Herrera from Alley Interactive; password change via stolen cookie, reported by Michael Adams from the WordPress security team; and some less secure sanitize_file_name edge cases reported by Peter Westwood of the WordPress security team.


Discovery 2016-06-18
Entry 2016-06-25
de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
lt 4.5.3

wordpress
lt 4.5.3,1

CVE-2016-5832
CVE-2016-5833
CVE-2016-5834
CVE-2016-5835
CVE-2016-5836
CVE-2016-5837
CVE-2016-5838
CVE-2016-5839
ports/210480
ports/210581
https://wordpress.org/news/2016/06/wordpress-4-5-3/
http://www.openwall.com/lists/oss-security/2016/06/23/9
b180d1fb-dac6-11e6-ae1b-002590263bf5wordpress -- multiple vulnerabilities

Aaron D. Campbell reports:

WordPress versions 4.7 and earlier are affected by eight security issues...


Discovery 2017-01-11
Entry 2017-01-15
wordpress
lt 4.7.1,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
lt 4.7.1

CVE-2017-5487
CVE-2017-5488
CVE-2017-5489
CVE-2017-5490
CVE-2017-5491
CVE-2017-5492
CVE-2017-5493
http://www.openwall.com/lists/oss-security/2017/01/14/6
https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
a2589511-d6ba-11e7-88dd-00e04c1ea73dwordpress -- multiple issues

wordpress developers reports:

Use a properly generated hash for the newbloguser key instead of a determinate substring.

Add escaping to the language attributes used on html elements.

Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.

Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability.


Discovery 2017-11-29
Entry 2017-12-01
wordpress
fr-wordpress
lt 4.9.1,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
lt 4.9.1

https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
be38245e-44d9-11e8-a292-00e04c1ea73dwordpress -- multiple issues

wordpress developers reports:

Don't treat localhost as same host by default.

Use safe redirects when redirecting the login page if SSL is forced.

Make sure the version string is correctly escaped for use in generator tags.


Discovery 2018-04-03
Entry 2018-04-20
wordpress
fr-wordpress
lt 4.9.5,1

de-wordpress
zh_CN-wordpress
zh_TW-wordpress
ja-wordpress
lt 4.9.5

https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
15ee0e93-4bbb-11e9-9ba0-4c72b94353b5wordpress -- multiple issues

wordpress developers reports:

Hosts can now offer a button for their users to update PHP.

The recommended PHP version used by the Update PHP notice can now be filtered.


Discovery 2019-03-12
Entry 2019-03-21
wordpress
fr-wordpress
lt 5.1.1,1

de-wordpress
zh_CN-wordpress
zh_TW-wordpress
ja-wordpress
ru-wordpress
lt 5.1.1

https://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/
3686917b-164d-11e6-94fa-002590263bf5wordpress -- multiple vulnerabilities

Helen Hou-Sandi reports:

WordPress 4.5.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.5.1 and earlier are affected by a SOME vulnerability through Plupload, the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues.


Discovery 2016-05-06
Entry 2016-05-10
wordpress
lt 4.5.2,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
lt 4.5.2

CVE-2016-4566
CVE-2016-4567
https://wordpress.org/news/2016/05/wordpress-4-5-2/
http://www.openwall.com/lists/oss-security/2016/05/07/7
82752070-0349-11e7-b48d-00e04c1ea73dwordpress -- multiple vulnerabilities

WordPress versions 4.7.2 and earlier are affected by six security issues.

  • Cross-site scripting (XSS) via media file metadata.
  • Control characters can trick redirect URL validation.
  • Unintended files can be deleted by administrators using the plugin deletion functionality.
  • Cross-site scripting (XSS) via video URL in YouTube embeds.
  • Cross-site scripting (XSS) via taxonomy term names.
  • Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.

Discovery 2017-03-07
Entry 2017-03-07
wordpress
lt 4.7.3,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
lt 4.7.3

http://www.openwall.com/lists/oss-security/2017/03/07/3
https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/