Bug#696868: wordpress: CVE-2012-5868: wordpress_sec session cookie security vulnerability

Henri Salo Fri, 28 Dec 2012 06:45:19 -0800

Package: wordpress
Version: 3.4.2+dfsg-1
Severity: important
Tags: security


Overview: WordPress 3.4.2 does not invalidate a wordpress_sec session cookie 
upon an administrator's logout action, which makes it easier for remote 
attackers to discover valid session identifiers via a brute-force attack, or 
modify data via a replay attack.

CVSS Severity (version 2.0):
    CVSS v2 Base Score:2.6 (LOW) (AV:N/AC:H/Au:N/C:P/I:N/A:N) (legend)
    Impact Subscore: 2.9
    Exploitability Subscore: 4.9

CVSS Version 2 Metrics:
    Access Vector: Network exploitable
    Access Complexity: High
    Authentication: Not required to exploit
    Impact Type:Allows unauthorized disclosure of information

http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout

Please email me in case you need my help.

- Henri Salo


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Bug#696868: wordpress: CVE-2012-5868: wordpress_sec session cookie security vulnerability

Reply via email to