9.8

CVE-2019-20041

WordPress Core < 5.3.1 - Authenticated Stored Cross-Site Scripting

wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring.
Mögliche Gegenmaßnahme
WordPress: Update to one of the following versions, or a newer patched version: 3.7.32, 3.8.32, 3.9.30, 4.0.29, 4.1.29, 4.2.26, 4.3.22, 4.4.21, 4.5.20, 4.6.17, 4.7.16, 4.8.12, 4.9.13, 5.0.8, 5.1.4, 5.2.5, 5.3.1
Weitere Schwachstelleninformationen
SystemWordPress Core
Produkt WordPress
Version [*, 3.7)
Version 3.7 - 3.7.31
Version 3.8 - 3.8.31
Version 3.9 - 3.9.29
Version 4.0 - 4.0.28
Version 4.1 - 4.1.28
Version 4.2 - 4.2.25
Version 4.3 - 4.3.21
Version 4.4 - 4.4.20
Version 4.5 - 4.5.19
Version 4.6 - 4.6.16
Version 4.7 - 4.7.15
Version 4.8 - 4.8.11
Version 4.9 - 4.9.12
Version 5.0 - 5.0.7
Version 5.1 - 5.1.3
Version 5.2 - 5.2.4
Version 5.3
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
WordpressWordpress Version < 5.3.1
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
DebianDebian Linux Version10.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.05% 0.769
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://seclists.org/bugtraq/2020/Jan/8
Third Party Advisory
Mailing List