Source: wordpress Version: 6.5.3+dfsg1-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for wordpress. CVE-2024-6307[0]: | WordPress Core is vulnerable to Stored Cross-Site Scripting via the | HTML API in various versions prior to 6.5.5 due to insufficient | input sanitization and output escaping on URLs. This makes it | possible for authenticated attackers, with contributor-level access | and above, to inject arbitrary web scripts in pages that will | execute whenever a user accesses an injected page. CVE-2024-31111[1]: | Improper Neutralization of Input During Web Page Generation (XSS or | 'Cross-site Scripting') vulnerability in Automattic WordPress allows | Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, | from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through | 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 | through 5.9.9. CVE-2024-32111[2]: | Improper Limitation of a Pathname to a Restricted Directory ('Path | Traversal') vulnerability in Automattic WordPress allows Relative | Path Traversal.This issue affects WordPress: from 6.5 through 6.5.4, | from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through | 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 | through 5.9.9, from 5.8 through 5.8.9, from 5.7 through 5.7.11, from | 5.6 through 5.6.13, from 5.5 through 5.5.14, from 5.4 through | 5.4.15, from 5.3 through 5.3.17, from 5.2 through 5.2.20, from 5.1 | through 5.1.18, from 5.0 through 5.0.21, from 4.9 through 4.9.25, | from 4.8 through 4.8.24, from 4.7 through 4.7.28, from 4.6 through | 4.6.28, from 4.5 through 4.5.31, from 4.4 through 4.4.32, from 4.3 | through 4.3.33, from 4.2 through 4.2.37, from 4.1 through 4.1.40. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-6307 https://www.cve.org/CVERecord?id=CVE-2024-6307 [1] https://security-tracker.debian.org/tracker/CVE-2024-31111 https://www.cve.org/CVERecord?id=CVE-2024-31111 [2] https://security-tracker.debian.org/tracker/CVE-2024-32111 https://www.cve.org/CVERecord?id=CVE-2024-32111 [3] https://wordpress.org/news/2024/06/wordpress-6-5-5/ Regards, Salvatore