9.8

CVE-2019-20041

WordPress Core < 5.3.1 - Authenticated Stored Cross-Site Scripting

wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring.
Mögliche Gegenmaßnahme
WordPress: Update to one of the following versions, or a newer patched version: 3.7.32, 3.8.32, 3.9.30, 4.0.29, 4.1.29, 4.2.26, 4.3.22, 4.4.21, 4.5.20, 4.6.17, 4.7.16, 4.8.12, 4.9.13, 5.0.8, 5.1.4, 5.2.5, 5.3.1
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
WordpressWordpress Version < 5.3.1
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
DebianDebian Linux Version10.0
Weitere Schwachstelleninformationen
SystemWordPress Core
Produkt WordPress
Version [*, 3.7)
Version 3.7-3.7.31
Version 3.8-3.8.31
Version 3.9-3.9.29
Version 4.0-4.0.28
Version 4.1-4.1.28
Version 4.2-4.2.25
Version 4.3-4.3.21
Version 4.4-4.4.20
Version 4.5-4.5.19
Version 4.6-4.6.16
Version 4.7-4.7.15
Version 4.8-4.8.11
Version 4.9-4.9.12
Version 5.0-5.0.7
Version 5.1-5.1.3
Version 5.2-5.2.4
Version 5.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.65% 0.906
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://www.debian.org/security/2020/dsa-4677
Third Party Advisory
https://seclists.org/bugtraq/2020/Jan/8
Third Party Advisory
Mailing List
https://www.debian.org/security/2020/dsa-4599
Third Party Advisory
https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
Vendor Advisory
Release Notes
https://github.com/WordPress/wordpress-develop/commit/b1975463dd995da19bb40d3fa0786498717e3c53
Patch
https://lists.debian.org/debian-lts-announce/2020/01/msg00010.html
Third Party Advisory
Mailing List
https://www.wordfence.com/threat-intel/vulnerabilities/id/1bc0aa64-57a6-44ef-974a-70991cc3820f
Third Party Advisory