PT-2017-13807 · Debian+1 · Debian+1

Tomdxw

Published

2017-10-02

Updated

2019-10-03

CVE-2017-14990

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions WordPress version 4.8.2 debian linux (affected versions not specified)

Description The issue allows remote attackers to potentially hijack unactivated user accounts by leveraging database read access, such as through an unspecified SQL injection vulnerability. This is because WordPress stores wp signups.activation key values in cleartext, unlike the hashed wp users.user activation key values.

Recommendations For WordPress version 4.8.2, consider updating to a newer version that addresses this issue. For debian linux, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Cleartext Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-312

Related Identifiers

CVE-2017-14990

DSA-3997-1

Affected Products

Debian

Wordpress

PT-2017-13807 · Debian+1 · Debian+1

CVE-2017-14990

Weakness Enumeration

Related Identifiers

Affected Products

References · 27