CVE-2013-2173 - wp-includes/class-phpass.php in WordPress 3.5.1, when a password-protected post exists, allows remot

CVE-2013-2173

Summary

wp-includes/class-phpass.php in WordPress 3.5.1, when a password-protected post exists, allows remote attackers to cause a denial of service (CPU consumption) via a crafted value of a certain wp-postpass cookie.

References

Vulnerable Configurations

cpe:2.3:a:wordpress:wordpress:3.5.1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:3.5.1:*:*:*:*:*:*:*

CVSS

Base:	4.3 (as of 22-08-2013 - 06:52)
Impact:
Exploitability:

CWE

CWE-310

CAPEC

Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:N/I:N/A:P

refmap via4

bugtraq	20130613 Re: WordPress 3.5.1, Denial of Service
confirm	http://codex.wordpress.org/Version_3.5.2 http://wordpress.org/news/2013/06/wordpress-3-5-2/
debian	DSA-2718
misc	https://github.com/wpscanteam/wpscan/issues/219 https://vndh.net/note:wordpress-351-denial-service
mlist	[oss-security] 20130612 Re: CVE request: WordPress 3.5.1 denial of service vulnerability

Last major update

22-08-2013 - 06:52

Published

21-06-2013 - 13:57

Last modified

22-08-2013 - 06:52