Jon Cave

**Name of the Vulnerable Software and Affected Versions** Symfony versions prior to 2.7.51 Symfony versions 2.8.x prior to 2.8.50 Symfony versions 3.x prior to 3.4.26 Symfony versions 4.x prior to 4.1.12 Symfony versions 4.2.x prior to 4.2.7 **Description** A vulnerability in Symfony's security component allows an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This issue is related to the `generateCookieHash` function in `symfony/security` and is caused by an error during the authentication process. Exploitation of this vulnerability can allow a remote attacker to bypass the authentication procedure. **Recommendations** For Symfony versions prior to 2.7.51, update to version 2.7.51 or later. For Symfony versions 2.8.x prior to 2.8.50, update to version 2.8.50 or later. For Symfony versions 3.x prior to 3.4.26, update to version 3.4.26 or later. For Symfony versions 4.x prior to 4.1.12, update to version 4.1.12 or later. For Symfony versions 4.2.x prior to 4.2.7, update to version 4.2.7 or later.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.2.3 **Description** A cross-site scripting (XSS) issue allows remote authenticated users to inject arbitrary web script or HTML by leveraging the Author or Contributor role to place a crafted shortcode inside an HTML element, related to wp-includes/kses.php and wp-includes/shortcodes.php. **Recommendations** For versions prior to 4.2.3, update to version 4.2.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of shortcodes for users with the Author or Contributor role until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 3.5.1 **Description** The issue involves multiple cross-site scripting (XSS) vulnerabilities that allow remote attackers to inject arbitrary web script or HTML. This can be achieved through vectors involving gallery shortcodes or the content of a post. **Recommendations** For versions prior to 3.5.1, update to version 3.5.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of gallery shortcodes and limiting the ability to add arbitrary content to posts until the update is applied.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 3.3.2 **Description** The issue makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors, due to an attempt to enable clickable links inside attributes in the wp-includes/formatting.php file. **Recommendations** For versions prior to 3.3.2, update to version 3.3.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 3.3.2 **Description** The issue concerns an unspecified vulnerability in the wp-includes/js/swfobject.js file. The impact and attack vectors of this issue are unknown. **Recommendations** For versions prior to 3.3.2, update to version 3.3.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 3.3.2 **Description** The issue allows remote attackers to conduct cross-site scripting (XSS) attacks. This is due to the support of offsite redirects in the wp-comments-post.php file. **Recommendations** For versions prior to 3.3.2, update to version 3.3.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Plupload versions prior to 1.5.4 WordPress versions prior to 3.3.2 **Description** The issue allows remote attackers to bypass the Same Origin Policy via crafted content, enabling scripting regardless of the domain from which the SWF content was loaded. **Recommendations** For Plupload versions prior to 1.5.4, update to version 1.5.4 or later. For WordPress versions prior to 3.3.2, update to version 3.3.2 or later.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 3.3.2 **Description** The issue allows remote authenticated site administrators to bypass intended access restrictions. This can be exploited to deactivate network-wide plugins. **Recommendations** For versions prior to 3.3.2, update to version 3.3.2 or later to resolve the issue.