CVE-2015-3439

NameCVE-2015-3439
DescriptionCross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress 3.9.x, 4.0.x, and 4.1.x before 4.1.2 and other products, allows remote attackers to execute same-origin JavaScript functions via the target parameter, as demonstrated by executing a certain click function, related to _init.as and _fireEvent.as.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-236-1, DSA-3250-1
NVD severitymedium (attack range: remote)
Debian Bugs783347

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
wordpress (PTS)jessie4.1+dfsg-1+deb8u17fixed
jessie (security)4.1+dfsg-1+deb8u18fixed
stretch4.7.5+dfsg-2+deb9u3fixed
stretch (security)4.7.5+dfsg-2+deb9u4fixed
buster, sid4.9.7+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
wordpresssource(unstable)4.2+dfsg-1medium783347
wordpresssourcejessie4.1+dfsg-1+deb8u1mediumDSA-3250-1
wordpresssourcesqueeze3.6.1+dfsg-1~deb6u6mediumDLA-236-1
wordpresssourcewheezy3.6.1+dfsg-1~deb7u6mediumDSA-3250-1

Notes

http://codex.wordpress.org/Version_4.1.2
https://wordpress.org/news/2015/04/wordpress-4-1-2/
Search for package or bug name: Reporting problems