Source: wordpress Version: 4.9.1+dfsg-1 Severity: grave Tags: security Justification: user security hole
An XSS vulnerability was discovered in the Flash fallback files in MediaElement, a library that is included with WordPress. Because the Flash files are no longer needed for most use cases, they have been removed from WordPress. I'm not 100% sure of how bad this is for Debian packages as a lot of flash items are removed, but it could be still possibly triggered by the JavaScript around it (this is where the patches seem to be). This impacts all versions back to 3.7 References: https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/ https://wpvulndb.com/vulnerabilities/9006 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-3-amd64 (SMP w/6 CPU cores) Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
