CVE-2017-8295 in WordPressinfo

Zusammenfassung

von MITRE

WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for user-assisted remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this e-mail to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Reservieren

27.04.2017

Veröffentlichung

04.05.2017

Moderieren

akzeptiert

Eintrag

VDB-100856

CPE

bereit

CWE

CWE-640 (bestätigt)

Exploit

Download

CVSS

5.9 (NVD)

EPSS

0.77097

KEV

nein

Aktivitäten

very low

Sektor

Agriculture, Hostingprovider, ...

Quellen

MITRE	https://www.cve.org/CVERecord?id=CVE-2017-8295
NVD	https://nvd.nist.gov/vuln/detail/CVE-2017-8295
CVE Details	https://www.cvedetails.com/cve/CVE-2017-8295/

◂ Zurück Übersicht Weiter ▸

Do you need the next level of professionalism?

Upgrade your account now!