CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
72.8%
Package : wordpress
Version : 3.6.1+dfsg-1~deb7u20
CVE ID : CVE-2017-17091 CVE-2017-17092 CVE-2017-17093
CVE-2017-17094
Debian Bug : 883314
Several vulnerabilities were discovered in wordpress, a web blogging
tool. The Common Vulnerabilities and Exposures project identifies the
following issues.
CVE-2017-17091
wp-admin/user-new.php in WordPress sets the newbloguser
key to a string that can be directly derived from the user ID, which
allows remote attackers to bypass intended access restrictions by
entering this string.
CVE-2017-17092
wp-includes/functions.php in WordPress does not require the
unfiltered_html capability for upload of .js files, which might
allow remote attackers to conduct XSS attacks via a crafted file.
CVE-2017-17093
wp-includes/general-template.php in WordPress does not properly
restrict the lang attribute of an HTML element, which might allow
attackers to conduct XSS attacks via the language setting of a site.
CVE-2017-17094
wp-includes/feed.php in WordPress does not properly
restrict enclosures in RSS and Atom fields, which might allow
attackers to conduct XSS attacks via a crafted URL.
For Debian 7 "Wheezy", these problems have been fixed in version
3.6.1+dfsg-1~deb7u20.
We recommend that you upgrade your wordpress packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
72.8%