CVE-2015-3439

NameCVE-2015-3439
DescriptionCross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress 3.9.x, 4.0.x, and 4.1.x before 4.1.2 and other products, allows remote attackers to execute same-origin JavaScript functions via the target parameter, as demonstrated by executing a certain click function, related to _init.as and _fireEvent.as.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-236-1, DSA-3250-1
NVD severitymedium
Debian Bugs783347

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
wordpress (PTS)stretch4.7.5+dfsg-2+deb9u6fixed
stretch (security)4.7.19+dfsg-1+deb9u1fixed
buster, buster (security)5.0.11+dfsg1-0+deb10u1fixed
bullseye, sid5.6+dfsg1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
wordpresssourcesqueeze3.6.1+dfsg-1~deb6u6DLA-236-1
wordpresssourcewheezy3.6.1+dfsg-1~deb7u6DSA-3250-1
wordpresssourcejessie4.1+dfsg-1+deb8u1DSA-3250-1
wordpresssource(unstable)4.2+dfsg-1783347

Notes

http://codex.wordpress.org/Version_4.1.2
https://wordpress.org/news/2015/04/wordpress-4-1-2/
Search for package or bug name: Reporting problems