CVE-2012-2401
Published: 21 April 2012
Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content.
Priority
Status
Package | Release | Status |
---|---|---|
wordpress Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Ignored
(end of life)
|
|
natty |
Ignored
(end of life)
|
|
oneiric |
Ignored
(end of life)
|
|
precise |
Ignored
(end of life)
|
|
quantal |
Not vulnerable
(3.3.2+dfsg-1)
|
|
raring |
Not vulnerable
(3.3.2+dfsg-1)
|
|
saucy |
Not vulnerable
(3.3.2+dfsg-1)
|
|
trusty |
Does not exist
(trusty was not-affected [3.3.2+dfsg-1])
|
|
upstream |
Needed
|
|
utopic |
Not vulnerable
(3.3.2+dfsg-1)
|
|
vivid |
Not vulnerable
(3.3.2+dfsg-1)
|
|
wily |
Not vulnerable
(3.3.2+dfsg-1)
|
|
xenial |
Not vulnerable
(3.3.2+dfsg-1)
|
|
yakkety |
Not vulnerable
(3.3.2+dfsg-1)
|
|
zesty |
Not vulnerable
(3.3.2+dfsg-1)
|
|
Patches: upstream: http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/plupload?rev=20487 |
References
- http://wordpress.org/news/2012/04/wordpress-3-3-2/
- http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/plupload?rev=20487
- http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/plupload/changelog.txt?rev=20487
- https://www.cve.org/CVERecord?id=CVE-2012-2401
- NVD
- Launchpad
- Debian