PT-2011-2570 · WordPress · Wordpress
Nils Jueneman
+1
·
Publicado
2011-03-14
·
Atualizado
2017-11-22
·
CVE-2011-0701
CVSS v2.0
4.0
Média
| Vetor | AV:N/AC:L/Au:S/C:P/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
WordPress versions prior to 3.0.5
Description
The issue allows remote authenticated users to read draft or private posts by modifying the
attachment id parameter in the media uploader. This is due to a flaw in the wp-admin/async-upload.php file.Recommendations
For versions prior to 3.0.5, update to version 3.0.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the media uploader to minimize the risk of exploitation. Avoid using the modified
attachment id parameter in the affected API endpoint until the issue is resolved.Correção
Information Disclosure
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Wordpress