The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file.
References
Link | Resource |
---|---|
http://wordpress.org/news/2013/09/wordpress-3-6-1/ | Patch Vendor Advisory |
http://codex.wordpress.org/Version_3.6.1 | Vendor Advisory |
http://core.trac.wordpress.org/changeset/25322 | Patch Vendor Advisory |
http://www.debian.org/security/2013/dsa-2757 |
Configurations
Information
Published : 2013-09-12 06:30
Updated : 2013-09-26 20:47
NVD link : CVE-2013-5738
Mitre link : CVE-2013-5738
JSON object : View
CWE
CWE-20
Improper Input Validation
Products Affected
wordpress
- wordpress