Hi Craig,

On Fri, Sep 06, 2019 at 05:37:45PM +1000, Craig Small wrote:
> Source: wordpress
> Version: 5.2.2+dfsg1-1
> Severity: normal
> Tags: security
> Wordpress has release 5.2.3 which fixes several security holes.
> From 
> https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
> Security Updates
> Props to Simon Scannell of RIPS Technologies for finding and disclosing two 
> issues. The first, a cross-site scripting (XSS) vulnerability found in post 
> previews by contributors. The second was a cross-site scripting vulnerability 
> in stored comments.
> Props to Tim Coen for disclosing an issue where validation and sanitization 
> of a URL could lead to an open redirect.
> Props to Anshul Jain for disclosing reflected cross-site scripting during 
> media uploads.
> Props to Zhouyuan Yang of Fortinet’s FortiGuard Labs who disclosed a 
> vulnerability for cross-site scripting (XSS) in shortcode previews.
> Props to Ian Dunn of the Core Security Team for finding and disclosing a case 
> where reflected cross-site scripting could be found in the dashboard.
> Props to Soroush Dalili (@irsdl) from NCC Group for disclosing an issue with 
> URL sanitization that can lead to cross-site scripting (XSS) attacks.
> In addition to the above changes, we are also updating jQuery on older 
> versions of WordPress. This change was added in 5.2.1 and is now being 
> brought to older versions.

I guess you can/will ask for CVes for those issues? Can you report
those back here and on team@s.d.o once known?


Reply via email to