On Tue, 2017-10-03 at 17:17 +0200, Salvatore Bonaccorso wrote: > Source: wordpress > Version: 4.8.2+dfsg-1 > Severity: important > Tags: upstream security > Forwarded: https://core.trac.wordpress.org/ticket/38474 > > Hi, > > the following vulnerability was published for wordpress. > > CVE-2017-14990[0]: > > WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but > > stores the analogous wp_users.user_activation_key values as hashes), > > which might make it easier for remote attackers to hijack unactivated > > user accounts by leveraging database read access (such as access gained > > through an unspecified SQL injection vulnerability). > Hi Craig,
will you handle this one as well, squeezing it in the upcoming DSA? Regards, -- Yves-Alexis
signature.asc
Description: This is a digitally signed message part