[Pkg-owncloud-maintainers] Bug#823649: libjs-mediaelement: Reflected XSS vulnerability

Craig Small csmall at debian.org
Sat May 7 01:58:22 UTC 2016


Package: libjs-mediaelement
Version: 2.15.1+dfsg-1
Severity: important
Tags: security upstream

I saw this regarding the wordpress 4.5.2 release[1]. MediaElement.js is
vulnerable to a reflected XSS attack. The wordpress patch is at [2]
but I cannot exactly find what has changed but I think it is the
url has the time added to randomize it more. [3]

1: https://wordpress.org/news/2016/05/wordpress-4-5-2/
2: https://core.trac.wordpress.org/changeset/37370
3: https://github.com/johndyer/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-1-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

libjs-mediaelement depends on no packages.

Versions of packages libjs-mediaelement recommends:
ii  libjs-jquery  1.11.3+dfsg-4

libjs-mediaelement suggests no packages.

-- no debconf information



More information about the Pkg-owncloud-maintainers mailing list