Package: libjs-mediaelement Version: 2.15.1+dfsg-1 Severity: important Tags: security upstream
I saw this regarding the wordpress 4.5.2 release[1]. MediaElement.js is vulnerable to a reflected XSS attack. The wordpress patch is at [2] but I cannot exactly find what has changed but I think it is the url has the time added to randomize it more. [3] 1: https://wordpress.org/news/2016/05/wordpress-4-5-2/ 2: https://core.trac.wordpress.org/changeset/37370 3: https://github.com/johndyer/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.4.0-1-amd64 (SMP w/6 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) libjs-mediaelement depends on no packages. Versions of packages libjs-mediaelement recommends: ii libjs-jquery 1.11.3+dfsg-4 libjs-mediaelement suggests no packages. -- no debconf information