Vulnerability CVE-2011-4899


Published: 2012-01-30   Modified: 2012-02-13

Description:
** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not ensure that the specified MySQL database service is appropriate, which allows remote attackers to configure an arbitrary database via the dbhost and dbname parameters, and subsequently conduct static code injection and cross-site scripting (XSS) attacks via (1) an HTTP request or (2) a MySQL query. NOTE: the vendor disputes the significance of this issue; however, remote code execution makes the issue important in many realistic environments.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
WordPress <= 3.3.1 Multiple Vulnerabilities
Trustwave\'...
26.01.2012
Low
Elipse E3 Scada PLC Denial Of Service
Mauro Risonho
16.07.2014

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Wordpress -> Wordpress 

 References:
https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt
http://www.exploit-db.com/exploits/18417
http://archives.neohapsis.com/archives/bugtraq/2012-01/0150.html

Copyright 2024, cxsecurity.com

 

Back to Top