CVE-2020-11028

EPSS 0.83%
Veröffentlicht 30.04.2020 23:15:11
Zuletzt bearbeitet 21.11.2024 04:56:37
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

WordPress Core < 5.4.1 - Private Post Disclosure

In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Mögliche Gegenmaßnahme

WordPress: Update to one of the following versions, or a newer patched version: 3.7.33, 3.8.33, 3.9.31, 4.0.30, 4.1.30, 4.2.27, 4.3.23, 4.4.22, 4.5.21, 4.6.18, 4.7.17, 4.8.13, 4.9.14, 5.0.9, 5.1.5, 5.2.6, 5.3.3, 5.4.1

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 8

Weitere Schwachstelleninformationen

SystemWordPress Core

≫

Produkt WordPress

Version [*, 3.7)

Version 3.7 - 3.7.32

Version 3.8 - 3.8.32

Version 3.9 - 3.9.30

Version 4.0 - 4.0.29

Version 4.1 - 4.1.29

Version 4.2 - 4.2.26

Version 4.3 - 4.3.22

Version 4.4 - 4.4.21

Version 4.5 - 4.5.20

Version 4.6 - 4.6.17

Version 4.7 - 4.7.16

Version 4.8 - 4.8.12

Version 4.9 - 4.9.13

Version 5.0 - 5.0.8

Version 5.1 - 5.1.4

Version 5.2 - 5.2.5

Version 5.3 - 5.3.2

Version 5.4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Wordpress ≫ Wordpress Version < 5.4.1

Debian ≫ Debian Linux Version9.0

Debian ≫ Debian Linux Version10.0

Debian ≫ Debian Linux Version8.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.83%	0.738

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N
security-advisories@github.com	5.8	1.3	4	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://www.debian.org/security/2020/dsa-4677

Third Party Advisory

https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates

Vendor Advisory

Release Notes

https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html

Third Party Advisory

Mailing List

https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xhx9-759f-6p2w

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/b6b6fb24-f70b-44b0-a1e8-12ebc0e0c105

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-11028

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-11028

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-11028

EUVD