Alerts

Safari v6.0.3 / Security Update 2013-001

FYI...

Safari v6.0.3 released
- https://support.apple.com/kb/HT5671
14 Mar 2013
> http://prod.lists.apple.com/archives/security-announce/2013/Mar/msg00003.html

- https://secunia.com/advisories/52658/
Release Date: 2013-03-15
Criticality level: Highly critical
Impact: Cross Site Scripting, System access
Where: From remote ...
Solution: Update to version 6.0.3.

- http://www.securitytracker.com/id/1028292
CVE Reference: CVE-2013-0960, CVE-2013-0961
Mar 14 2013
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 6.0.3...
___

APPLE-SA-2013-03-14-1 OS X Mountain Lion v10.8.3 and Security Update 2013-001
- https://support.apple.com/kb/HT5672
14 Mar 2013
> http://prod.lists.apple.com/archives/security-announce/2013/Mar/msg00002.html

- http://prod.lists.apple.com/archives/security-announce/2013/Mar/index.html

- https://secunia.com/advisories/52643/
Release Date: 2013-03-15
Criticality level: Highly critical
Impact: Spoofing, Security Bypass, Exposure of system information, Exposure of sensitive, information, Cross Site Scripting, System access
Where: From remote ...
Solution: Update to OS X Mountain Lion 10.8.3 or apply Security Update 2013-001.

- http://atlas.arbor.net/briefs/index#-1321171050
High Severity
March 15, 2013
Apple releases security patches for a variety of issues in OSX.
Analysis: Considering a typical attack on a end-user system, there are several issues that require attention to include: 1) A method for an attacker to launch a Java application even though Java may be disabled 2) Quicktime security vulnerabilities in the handling of MP4 files and 3) security issues in the way PDFKit handles certain malformed PDF documents. In addition to these issues there are multiple other issues that affect specific scenarios on a server install or issues that would open up the system to a local attack...

- http://www.securitytracker.com/id/1028294
CVE Reference: CVE-2013-0963, CVE-2013-0967, CVE-2013-0969, CVE-2013-0970, CVE-2013-0971, CVE-2013-0973, CVE-2013-0976
Updated: Mar 15 2013
Impact: Execution of arbitrary code via network, Modification of system information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10.6.x, 10.7.x, 10.8.x...

About the OS X Mountain Lion v10.8.3 Update
- https://support.apple.com/kb/HT5612
Mar 14, 2013

OS X Mountain Lion Update v10.8.3 (Combo)
- https://support.apple.com/kb/DL1640
Mar 14, 2013

Security Update 2013-001 (Snow Leopard)
- https://support.apple.com/kb/DL1642
Mar 14, 2013

Security Update 2013-001 (Lion)
- https://support.apple.com/kb/DL1643
Mar 14, 2013

:fear::fear:
 
Last edited:
iOS 6.1.3 released

FYI...

APPLE-SA-2013-03-19-1 iOS 6.1.3
- http://prod.lists.apple.com/archives/security-announce/2013/Mar/msg00004.html
19 Mar 2013

- https://support.apple.com/kb/HT5704

- http://www.securitytracker.com/id/1028314
CVE Reference: CVE-2013-0977, CVE-2013-0978, CVE-2013-0979, CVE-2013-0981
Mar 19 2013
Impact: Disclosure of system information, Execution of arbitrary code via local system, Modification of system information, Root access via local system, User access via local system
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 6.1.3...
Impact: A local user can obtain elevated privileges on the target system.
Solution: The vendor has issued a fix (iOS 6.1.3) as part of APPLE-SA-2013-03-19-1 iOS 6.1.3.

- https://secunia.com/advisories/52173/
Last Update: 2013-03-20
Criticality level: Highly critical
Impact: Security Bypass, System access
Where: From remote...
Operating System: Apple iOS 6.x for iPhone 3GS and later, iPad 6.x, iPod touch 6.x
Solution: Apply iOS 6.1.3 Software Update.
___

APPLE-SA-2013-03-19-2 Apple TV 5.2.1
- http://prod.lists.apple.com/archives/security-announce/2013/Mar/msg00005.html
19 Mar 2013

- https://secunia.com/advisories/52685/
Release Date: 2013-03-20
CVE Reference(s): CVE-2013-0977, CVE-2013-0978, CVE-2013-0981
Impact: Security Bypass
Where: Local system
Solution: Update to version 5.2.1.
___

Apple changes iOS 6.1 VPN feature
- http://h-online.com/-1837018
8 April 2013

:fear:
 
Last edited:
Google Picasa 136.17 ...

FYI...

Google Picasa 136.17 ...
- https://secunia.com/advisories/51652/
Release Date: 2013-03-20
Criticality level: Highly critical
Impact: System access
Where: From remote...
For more information: https://secunia.com/SA35515/
... vulnerabilities are confirmed in version 3.9.0 Build 136.09 for Windows and reported in versions prior to 3.9.0 Build 3.9.14.34 for Mac. Other versions may also be affected.
Solution: Update to a fixed version.
Original Advisory: http://support.google.com/picasa/answer/53209
Windows: Build 136.17 - March 14, 2012

:fear:
 
Thunderbird v17.0.5 released

FYI...

Thunderbird v17.0.5 released
- https://www.mozilla.org/en-US/thunderbird/17.0.5/releasenotes
April 2, 2013
FIXED - Security fixes* ...
FIXED - Adjusting font size when composing emails should be easier (Bug 824926)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/thunderbird/all.html

Fixed in Thunderbird 17.0.5
* https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird17.0.5
MFSA 2013-40 Out-of-bounds array read in CERT_DecodeCertPackage
MFSA 2013-38 Cross-site scripting (XSS) using timed history navigations
MFSA 2013-36 Bypass of SOW protections allows cloning of protected nodes
MFSA 2013-35 WebGL crash with Mesa graphics driver on Linux
MFSA 2013-34 Privilege escalation through Mozilla Updater
MFSA 2013-32 Privilege escalation through Mozilla Maintenance Service
MFSA 2013-31 Out-of-bounds write in Cairo library
MFSA 2013-30 Miscellaneous memory safety hazards (rv:20.0 / rv:17.0.5)

- http://www.securitytracker.com/id/1028382
CVE Reference: CVE-2013-0788, CVE-2013-0789, CVE-2013-0790, CVE-2013-0791, CVE-2013-0793, CVE-2013-0795, CVE-2013-0796, CVE-2013-0797, CVE-2013-0799, CVE-2013-0800
Apr 3 2013
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 17.0.5

:fear::fear:
 
Thunderbird v17.0.6 released

FYI...

Thunderbird v17.0.6 released
- https://www.mozilla.org/en-US/thunderbird/17.0.6/releasenotes
May 14, 2013

- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird17.0.6
Fixed in Thunderbird 17.0.6
MFSA 2013-48 Memory corruption found using Address Sanitizer
MFSA 2013-47 Uninitialized functions in DOMSVGZoomEvent
MFSA 2013-46 Use-after-free with video and onresize event
MFSA 2013-44 Local privilege escalation through Mozilla Maintenance Service
MFSA 2013-42 Privileged access for content level constructor
MFSA 2013-41 Miscellaneous memory safety hazards (rv:21.0 / rv:17.0.6)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/thunderbird/all.html

- https://secunia.com/advisories/53443/
Release Date: 2013-05-15
Criticality level: Highly critical
Impact: Security Bypass, System access
Where: From remote ...
For more information: https://secunia.com/SA53400/
... vulnerabilities are reported in versions prior to 17.0.6.
Solution: Update to version 17.0.6.

- http://www.securitytracker.com/id/1028559
CVE Reference: CVE-2013-0801, CVE-2013-1669, CVE-2013-1670, CVE-2013-1672, CVE-2013-1674, CVE-2013-1675, CVE-2013-1676, CVE-2013-1677, CVE-2013-1678, CVE-2013-1679, CVE-2013-1680, CVE-2013-1681
May 14 2013
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 17.0.6

:fear:
 
Last edited:
iTunes 11.0.3 released

FYI...

iTunes 11.0.3 released
- https://support.apple.com/kb/HT5766
May 16, 2013

- http://prod.lists.apple.com/archives/security-announce/2013/May/msg00000.html
May 16, 2013

Use Apple Software Update
-or-
- https://www.apple.com/itunes/download/
iTunes 11.0.3 for Windows XP, Vista or Windows 7

- http://www.securitytracker.com/id/1028575
CVE Reference: CVE-2013-0879, CVE-2013-0991, CVE-2013-0992, CVE-2013-0993, CVE-2013-0994, CVE-2013-0995, CVE-2013-0996, CVE-2013-0997, CVE-2013-0998, CVE-2013-0999, CVE-2013-1000, CVE-2013-1001, CVE-2013-1002, CVE-2013-1003, CVE-2013-1004, CVE-2013-1005, CVE-2013-1006, CVE-2013-1007, CVE-2013-1008, CVE-2013-1010, CVE-2013-1011, CVE-2013-1014
May 16 2013
Impact: Execution of arbitrary code via network, Modification of authentication information, User access via network
Fix Available: Yes Vendor Confirmed: Yes ...
Impact: A remote user can execute arbitrary code on the target system.
A remote user can spoof digital certificates.
Solution: The vendor has issued a fix (11.0.3).

:fear:
 
QuickTime 7.7.4 released

FYI...

QuickTime 7.7.4 released
- https://support.apple.com/kb/HT5770
May 22, 2013

- https://support.apple.com/kb/HT1222

> http://prod.lists.apple.com/archives/security-announce/2013/May/msg00001.html
... QuickTime 7.7.4 may be obtained from the QuickTime Downloads site:
http://www.apple.com/quicktime/download/
-or-
Use Apple Software Update.

- https://secunia.com/advisories/53520/
Release Date: 2013-05-23
Criticality level: Highly critical
Impact: System access
Where: From remote...
CVE Reference(s): CVE-2013-0986, CVE-2013-0987, CVE-2013-0988, CVE-2013-0989, CVE-2013-1015, CVE-2013-1016, CVE-2013-1017, CVE-2013-1018, CVE-2013-1019, CVE-2013-1020, CVE-2013-1021, CVE-2013-1022
... vulnerabilities are reported in versions prior to 7.7.4.
Solution: Update to version 7.7.4.

- http://www.securitytracker.com/id/1028589
CVE Reference: CVE-2013-0986, CVE-2013-0987, CVE-2013-0988, CVE-2013-0989, CVE-2013-1015, CVE-2013-1016, CVE-2013-1017, CVE-2013-1018, CVE-2013-1019, CVE-2013-1020, CVE-2013-1021, CVE-2013-1022
May 23 2013
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 7.7.4 ...

- http://h-online.com/-1868186
23 May 2013

:fear:
 
Last edited:
IrfanView FlashPix PlugIn FPX 4.36 released

FYI...

IrfanView FlashPix PlugIn FPX 4.36 released
- https://secunia.com/advisories/53579/
Release Date: 2013-05-30
Criticality level: Highly critical
Impact: System access
Where: From remote...
Software: IrfanView FlashPix PlugIn 4.x
CVE Reference: CVE-2013-3486
... vulnerability is caused due to an integer overflow error within the Fpx.dll module...
- http://www.irfanview.com/plugins.htm
PlugIns updated after the version 4.35:
FPX Plugin (4.36) - Installer or ZIP - Fixed loading of FPX (FlashPix) files (reported by Secunia)
- http://www.irfanview.net/plugins/irfanview_plugin_fpx.exe

:fear::fear:
 
Apple OS X 10.8.4 - Safari v6.0.5 released

FYI...

Apple OS X 10.8.4 - Security Update 2013-002
- http://www.securitytracker.com/id/1028625
CVE Reference: CVE-2013-0982, CVE-2013-0983, CVE-2013-0984, CVE-2013-0985, CVE-2013-0975, CVE-2013-0990, CVE-2013-1024
Jun 5 2013
Impact: Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10.8.x prior to 10.8.4; 10.6.x, 10.7.x ...
Solution: The vendor has issued a fix (10.8.4; Security Update 2013-002).
Vendor URL: http://support.apple.com/kb/HT5784

- http://prod.lists.apple.com/archives/security-announce/2013/Jun/msg00000.html

- https://secunia.com/advisories/53684/
Release Date: 2013-06-05
Criticality level: Highly critical
Impact: Cross Site Scripting, Exposure of sensitive information, Security Bypass, DoS, System access
Where: From remote...

- http://h-online.com/-1883007
5 June 2013

- https://support.apple.com/kb/HT1222
___

Safari v6.0.5 released
- http://www.securitytracker.com/id/1028627
CVE Reference: CVE-2013-0926, CVE-2013-1009, CVE-2013-1012, CVE-2013-1013, CVE-2013-1023
Jun 5 2013
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 6.0.5
Solution: The vendor has issued a fix (6.0.5).
Vendor URL: http://support.apple.com/kb/HT5785

- http://prod.lists.apple.com/archives/security-announce/2013/Jun/msg00001.html

- https://secunia.com/advisories/53711/
Release Date: 2013-06-05
Criticality level: Highly critical
Impact: Security Bypass, Cross Site Scripting, Spoofing, System access
Where: From remote...
___

- https://isc.sans.edu/diary.html?storyid=15929
Last Updated: 2013-06-05 02:43:44 UTC

:fear::fear:
 
Last edited:
WordPress v3.5.2 released

FYI...

WordPress v3.5.2 released
- https://wordpress.org/download/
June 21, 2013 - "The latest stable release of WordPress (Version 3.5.2) is available..."

- https://wordpress.org/news/
June 21, 2013 - "... This is the second maintenance release of 3.5, fixing 12 bugs. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. The WordPress security team resolved seven security issues, and this release also contains some additional security hardening... Download WordPress 3.5.2 or update now from the Dashboard..."
- https://wordpress.org/news/2013/06/wordpress-3-5-2/

Release notes
- https://codex.wordpress.org/Version_3.5.2
CVE-2013-2173, CVE-2013-2199, CVE-2013-2200, CVE-2013-2201, CVE-2013-2202, CVE-2013-2203, CVE-2013-2204, CVE-2013-2205

"WordPress Plugin" search results ...
- https://secunia.com/advisories/search/?search=WordPress+Plugin
Found -606- Secunia Security Advisories ...
June 21, 2013
___

- http://www.securitytracker.com/id/1028700
CVE Reference: CVE-2013-2199, CVE-2013-2200, CVE-2013-2201, CVE-2013-2202, CVE-2013-2203, CVE-2013-2204, CVE-2013-2205
Jun 25 2013
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 3.5.2 ...

- http://h-online.com/-1895188
24 June 2013

:fear::fear:
 
Last edited:
Thunderbird v17.0.7 released

FYI...

Thunderbird v17.0.7 released
- https://www.mozilla.org/en-US/thunderbird/17.0.7/releasenotes
June 25, 2013

- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird17.0.7
Fixed in Thunderbird 17.0.7
MFSA 2013-59 XrayWrappers can be bypassed to run user defined methods in a privileged context
MFSA 2013-56 PreserveWrapper has inconsistent behavior
MFSA 2013-55 SVG filters can lead to information disclosure
MFSA 2013-54 Data in the body of XHR HEAD requests leads to CSRF attacks
MFSA 2013-53 Execution of unmapped memory through onreadystatechange event
MFSA 2013-51 Privileged content access and execution via XBL
MFSA 2013-50 Memory corruption found using Address Sanitizer
MFSA 2013-49 Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/thunderbird/all.html
___

- https://secunia.com/advisories/53953/
Release Date: 2013-06-26
Criticality level: Highly Critical
Impact: Security Bypass, Exposure of sensitive information, System access
... vulnerabilities are reported in versions prior to 17.0.7.
Solution: Update to version 17.0.7.

- http://www.securitytracker.com/id/1028704
CVE Reference: CVE-2013-1682, CVE-2013-1683, CVE-2013-1684, CVE-2013-1685, CVE-2013-1686, CVE-2013-1687, CVE-2013-1690, CVE-2013-1692, CVE-2013-1693, CVE-2013-1694, CVE-2013-1697
Jun 26 2013
Impact: Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 17.0.7 ...

:fear:
 
Last edited:
Ruby update...

FYI...

Ruby update - SSL vuln
- https://isc.sans.edu/diary.html?storyid=16076
Last Updated: 2013-06-27 16:57:11 UTC - "An update has been released for the SSL vulnerability reported in Ruby. From the site: "All Ruby versions are affected". The Ruby update also contains a patch for a DOS vulnerability... details here*."
* http://h-online.com/-1901986
___

- http://www.securitytracker.com/id/1028714
CVE Reference: CVE-2013-4073
Jun 27 2013
Impact: Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to versions 1.8.7-p374, 1.9.3-p448, 2.0.0-p247
Impact: A remote user can spoof SSL servers in certain cases.
Solution: The vendor has issued a fix (1.8.7-p374, 1.9.3-p448, 2.0.0-p247).
... vendor's advisory is available at:
- http://www.ruby-lang.org/en/news/20...ulnerability-in-openssl-client-cve-2013-4073/

- https://secunia.com/advisories/54011/
Release Date: 2013-06-28
Where: From remote
Impact: Spoofing
Solution Status: Vendor Patch
CVE Reference: CVE-2013-4073
Solution: Update to version Ruby 1.8.7-p374, 1.9.3-p448, or 2.0.0-p247.
Original Advisory: Ruby:
http://www.ruby-lang.org/en/news/20...ulnerability-in-openssl-client-cve-2013-4073/
___

Ruby 1.8.7 retired
- http://www.ruby-lang.org/en/news/2013/06/30/we-retire-1-8-7/
30 Jun 2013

:fear::fear:
 
Last edited:
IrfanView v4.36 released

FYI...

IrfanView v4.36 released
- https://secunia.com/advisories/53976/
Release Date: 2013-07-05
Criticality: Highly Critical
Where: From remote
Impact: System access
Solution Status: Vendor Patch
Software: IrfanView 4.x
... vulnerability is confirmed in version 4.35. Prior versions may also be affected.
Solution: Update to version 4.36.

- http://www.irfanview.com/main_download_engl.htm

- http://www.irfanview.com/main_history.htm
Release date: 2013-06-27

- http://www.irfanview.com/plugins.htm
The current PlugIns version is: 4.36

:fear:
 
OpenOffice 4.0 released

FYI...

OpenOffice 4.0 released
- https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.0+Release+Notes
Jul 23, 2013

- http://www.openoffice.org/security/bulletin.html

Bug Fixes
- https://cwiki.apache.org/confluence...4.0+Release+Notes#AOO4.0ReleaseNotes-BugFixes
"As of July 17th 2013 there were -498- verified issues that have been resolved..."

- https://secunia.com/advisories/54133/
Release Date: 2013-07-26
Criticality: Highly Critical
Impact: System access
CVE Reference(s): CVE-2013-2189, CVE-2013-4156
... vulnerabilities are reported in versions 3.4.0 and 3.4.1. Prior versions may also be affected.
Solution: Upgrade to version 4.0
Original Advisory:
http://www.openoffice.org/security/cves/CVE-2013-2189.html
http://www.openoffice.org/security/cves/CVE-2013-4156.html

Instructions for Downloading and Installing Apache OpenOffice 4.0.0
- http://www.openoffice.org/download/common/instructions.html

Download
- http://www.openoffice.org/download/

:fear::fear:
 
Last edited:
WordPress v3.6 released

FYI...

WordPress v3.6 released
- https://wordpress.org/download/
August 1, 2013 - "The latest stable release of WordPress (Version 3.6) is available..."

- https://wordpress.org/news/2013/08/oscar/
"... WordPress, version 3.6, is now live to the world and includes a beautiful new blog-centric theme, bullet-proof autosave and post locking, a revamped revision browser, native support for audio and video embeds, and improved integrations with Spotify, Rdio, and SoundCloud..."

Release Post
- https://codex.wordpress.org/Version_3.6

Changelog
- https://codex.wordpress.org/Changelog/3.6

:spider:
 
Thunderbird v17.0.8 released

FYI...

Thunderbird v17.0.8 released
- https://www.mozilla.org/en-US/thunderbird/17.0.8/releasenotes
August 6, 2013

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird17.0.8
Fixed in Thunderbird 17.0.8
MFSA 2013-75 Local Java applets may read contents of local file system
MFSA 2013-73 Same-origin bypass with web workers and XMLHttpRequest
MFSA 2013-72 Wrong principal used for validating URI for some Javascript components
MFSA 2013-71 Further Privilege escalation through Mozilla Updater
MFSA 2013-69 CRMF requests allow for code execution and XSS attacks
MFSA 2013-68 Document URI misrepresentation and masquerading
MFSA 2013-66 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater
MFSA 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/thunderbird/all.html
___

- http://www.securitytracker.com/id/1028887
CVE Reference: CVE-2013-1701, CVE-2013-1702, CVE-2013-1706, CVE-2013-1707, CVE-2013-1709, CVE-2013-1710, CVE-2013-1712, CVE-2013-1713, CVE-2013-1714, CVE-2013-1717
Aug 6 2013
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 17.0.8 ...

- https://secunia.com/advisories/54413/
Release Date: 2013-08-07
Criticality: Highly Critical
Where: From remote
Impact: Security Bypass, Spoofing, Exposure of sensitive information, Privilege escalation, System access
... vulnerabilities are reported in the following products:
* Mozilla Thunderbird and Thunderbird ESR versions prior to 17.0.8...

:fear::fear:
 
WordPress v3.6.1 released

FYI...

WordPress v3.6.1 released
- https://wordpress.org/download/
Sep 11, 2013 - "The latest stable release of WordPress (Version 3.6.1) is available..."

- http://www.securitytracker.com/id/1029025
Sep 11 2013
Impact: Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 3.6.1 ...
Solution: The vendor has issued a fix (3.6.1).
The vendor's advisory is available at:
- http://codex.wordpress.org/Version_3.6.1
... Summary: From the announcement post*, this maintenance release addresses 13 bugs with version 3.6... Additionally: Version 3.6.1 fixes three security issues..."
* http://wordpress.org/news/2013/09/wordpress-3-6-1/

- https://secunia.com/advisories/54803/
Release Date: 2013-09-13
Criticality: Moderately Critical
Where: From remote
Impact: Security Bypass, Spoofing, System access
CVE Reference(s):
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4338 - 7.5 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4339 - 7.5 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4340 - 3.5
... weakness, security issue, and vulnerability are reported in versions prior to 3.6.1.
Solution: Update to version 3.6.1...

:fear::fear:
 
Last edited:
Back
Top