CVE-2018-20149

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/", "name": "https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/", "tags": ["Vendor Advisory", "Release Notes"], "refsource": "MISC"}, {"url": "https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a", "name": "https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://www.zdnet.com/article/wordpress-plugs-bug-that-led-to-google-indexing-some-user-passwords/", "name": "https://www.zdnet.com/article/wordpress-plugs-bug-that-led-to-google-indexing-some-user-passwords/", "tags": ["Press/Media Coverage", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://wordpress.org/support/wordpress-version/version-5-0-1/", "name": "https://wordpress.org/support/wordpress-version/version-5-0-1/", "tags": ["Release Notes", "Vendor Advisory"], "refsource": "MISC"}, {"url": "https://codex.wordpress.org/Version_4.9.9", "name": "https://codex.wordpress.org/Version_4.9.9", "tags": ["Product", "Vendor Advisory"], "refsource": "MISC"}, {"url": "https://wpvulndb.com/vulnerabilities/9175", "name": "https://wpvulndb.com/vulnerabilities/9175", "tags": ["Vendor Advisory"], "refsource": "MISC"}, {"url": "http://www.securityfocus.com/bid/106220", "name": "106220", "tags": ["Third Party Advisory", "VDB Entry"], "refsource": "BID"}, {"url": "https://lists.debian.org/debian-lts-announce/2019/02/msg00019.html", "name": "[debian-lts-announce] 20190211 [SECURITY] [DLA 1673-1] wordpress security update", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "MLIST"}, {"url": "https://www.debian.org/security/2019/dsa-4401", "name": "DSA-4401", "tags": ["Third Party Advisory"], "refsource": "DEBIAN"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-79"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2018-20149", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "LOW", "acInsufInfo": false, "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "baseMetricV3": {"cvssV3": {"scope": "CHANGED", "version": "3.0", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}}, "publishedDate": "2018-12-14T20:29Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "5.0.1", "versionStartIncluding": "5.0"}, {"cpe23Uri": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "4.9.9"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2019-03-04T14:20Z"}