Hi Craig, On Fri, Sep 06, 2019 at 05:37:45PM +1000, Craig Small wrote: > Source: wordpress > Version: 5.2.2+dfsg1-1 > Severity: normal > Tags: security > > Wordpress has release 5.2.3 which fixes several security holes. > > From > https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/ > > Security Updates > Props to Simon Scannell of RIPS Technologies for finding and disclosing two > issues. The first, a cross-site scripting (XSS) vulnerability found in post > previews by contributors. The second was a cross-site scripting vulnerability > in stored comments. > Props to Tim Coen for disclosing an issue where validation and sanitization > of a URL could lead to an open redirect. > Props to Anshul Jain for disclosing reflected cross-site scripting during > media uploads. > Props to Zhouyuan Yang of Fortinet’s FortiGuard Labs who disclosed a > vulnerability for cross-site scripting (XSS) in shortcode previews. > Props to Ian Dunn of the Core Security Team for finding and disclosing a case > where reflected cross-site scripting could be found in the dashboard. > Props to Soroush Dalili (@irsdl) from NCC Group for disclosing an issue with > URL sanitization that can lead to cross-site scripting (XSS) attacks. > In addition to the above changes, we are also updating jQuery on older > versions of WordPress. This change was added in 5.2.1 and is now being > brought to older versions.
I guess you can/will ask for CVes for those issues? Can you report those back here and on team@s.d.o once known? Regards, Salvatore
