[Forgot Password]
Login  Register Subscribe

23631

 
 

127000

 
 

102010

 
 

909

 
 

81309

 
 

123

Paid content will be excluded from the download.


Download | Alert*
CVE
view XML view JSON

CVE-2017-14990Date: (C)2017-10-04   (M)2018-02-19


WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability).

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score  : 6.5CVSS Score  : 4.0
Exploit Score: 2.8Exploit Score: 8.0
Impact Score : 3.6Impact Score : 2.9
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: NETWORKAccess Vector: NETWORK
Attack Complexity: LOWAccess Complexity: LOW
Privileges Required: LOWAuthentication: SINGLE_INSTANCE
User Interaction: NONEConfidentiality: PARTIAL
Scope: UNCHANGEDIntegrity: NONE
Confidentiality: HIGHAvailability: NONE
Integrity: NONE 
Availability: NONE 
  





Reference:
SECTRACK-1039554
DSA-3997
https://core.trac.wordpress.org/ticket/38474

CWE    1
CWE-200
OVAL    1
oval:org.secpod.oval:def:603130

© 2013 SecPod Technologies