CVE-2020-11026

Sažetak

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Reference

https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2
https://www.debian.org/security/2020/dsa-4677
https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html

CVSS

Base:	3.5
Impact:	2.9
Exploitability:	6.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	NONE

CVSS vektor

AV:N/AC:M/Au:S/C:N/I:P/A:N

Zadnje važnije ažuriranje

01-03-2023 - 16:45

Objavljeno

30-04-2020 - 23:15