CVE-2019-20041
CRITICAL WAF: Medium
CVSS 9.8
Published: 2019-12-27
CWE-20
wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring.
WAF Coverage Analysis
Improper Input Validation
Medium WAF Coverage
OWASP: A03:2021 Injection
920xxx - Protocol Enforcement 941xxx - XSS / XXE 942xxx - SQL Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| wordpress | wordpress | up to 5.3.1 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
| debian | debian_linux | 10.0 |
References
- github.com (Patch)
- lists.debian.org (Mailing List, Third Party Advisory)
- seclists.org (Mailing List, Third Party Advisory)
- wordpress.org (Release Notes, Vendor Advisory)
- www.debian.org (Third Party Advisory)
- www.debian.org (Third Party Advisory)