NVD

Id
40974  
Name
CVE-2013-5738  
Description
The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file.  
Reject
 
CVSS Version
2  
CVSS Score
4.3  
Severity
Medium  
CVSS Base Score
4.3  
CVSS Impact Subscore
2.9  
CVSS Exploit Subscore
8.6  
CVSS Vector
(AV:N/AC:M/Au:N/C:N/I:P/A:N)  
Pub Date
2017-01-18  
Published
2013-09-12  
Modified Date
2013-09-26  
Seq
2013-5738  

Actions

Related NVD References

Id NVD Id NVD No. Reference Actions
207068 40974 CVE-2013-5738 http://codex.wordpress.org/Version_3.6.1  View
207069 40974 CVE-2013-5738 http://core.trac.wordpress.org/changeset/25322  View
207070 40974 CVE-2013-5738 http://wordpress.org/news/2013/09/wordpress-3-6-1/  View
207071 40974 CVE-2013-5738 DSA-2757  View

Related JVN

Id Name Title Summary Cveinfo Name Cveinfo Id Nvdinfo Name Nvdinfo Id Cvssv2 Cvssv3 Jvnurl Published Date Last Updated Date Actions
22512 JVNDB-2013-004087 WordPress の wp-includes/functions.php におけるクロスサイトスクリプティングの脆弱性 WordPress の wp-includes/functions.php の get_allowed_mime_types 関数は、.htm および .html ファイルをアップロードする際に unfiltered_html 権限を要求しないため、クロスサイトスクリプティング攻撃を実行される脆弱性が存在します。 CVE-2013-5738 65680 CVE-2013-5738 40974 4.3 http://jvndb.jvn.jp/ja/contents/2013/JVNDB-2013-004087.html 2013-09-10 2013-10-11 View