Base Score

MEDIUM6.1

CVE-2017-9061

In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename.

VectorNETWORK

Published Bycve@mitre.org

Published DateMay 18, 2017, 14:29

Weakness Type (CWE):CWE-79

CVSS Metrics

Base Score

6.1

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Base Severity

MEDIUM

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

CHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

NONE

References

http://www.debian.org/security/2017/dsa-3870
http://www.securityfocus.com/bid/98509
http://www.securitytracker.com/id/1038520
https://codex.wordpress.org/Version_4.7.5
https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6
https://wordpress.org/news/2017/05/wordpress-4-7-5/
https://wpvulndb.com/vulnerabilities/8819

Base Score

MEDIUM6.1

Weakness Type (CWE):CWE-79

CVSS Metrics

Base Score

6.1

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Base Severity

MEDIUM

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

CHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

NONE