CVE-2019-20041

wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring.
Configurations

Configuration 1 (hide)

cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

History

23 Nov 2022, 20:12

Type Values Removed Values Added
First Time Debian
Debian debian Linux
CPE cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
References (MLIST) https://lists.debian.org/debian-lts-announce/2020/01/msg00010.html - (MLIST) https://lists.debian.org/debian-lts-announce/2020/01/msg00010.html - Mailing List, Third Party Advisory
References (BUGTRAQ) https://seclists.org/bugtraq/2020/Jan/8 - (BUGTRAQ) https://seclists.org/bugtraq/2020/Jan/8 - Mailing List, Third Party Advisory
References (DEBIAN) https://www.debian.org/security/2020/dsa-4599 - (DEBIAN) https://www.debian.org/security/2020/dsa-4599 - Third Party Advisory
References (DEBIAN) https://www.debian.org/security/2020/dsa-4677 - (DEBIAN) https://www.debian.org/security/2020/dsa-4677 - Third Party Advisory

Information

Published : 2019-12-27 08:15

Updated : 2022-11-23 20:12


NVD link : CVE-2019-20041

Mitre link : CVE-2019-20041


JSON object : View

Products Affected

wordpress

  • wordpress

debian

  • debian_linux
CWE
CWE-20

Improper Input Validation