CVE-2021-29447

Sažetak

Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.

Reference

https://wordpress.org/news/category/security/
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rv47-pc52-qrhh
https://lists.debian.org/debian-lts-announce/2021/04/msg00017.html
https://www.debian.org/security/2021/dsa-4896
http://packetstormsecurity.com/files/163148/XML-External-Entity-Via-MP3-File-Upload-On-WordPress.html
http://packetstormsecurity.com/files/164198/WordPress-5.7-Media-Library-XML-Injection.html
https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/

CVSS

Base:	4.0
Impact:	2.9
Exploitability:	8.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	NONE

CVSS vektor

AV:N/AC:L/Au:S/C:P/I:N/A:N

Zadnje važnije ažuriranje

27-10-2022 - 23:06

Objavljeno

15-04-2021 - 21:15