From 7070b039c5ee82efdb6b1c0e215f7be2160e8afd Mon Sep 17 00:00:00 2001
From: Ryan Dewhurst <ryandewhurst@gmail.com>
Date: Wed, 9 Apr 2014 13:50:42 -0700
Subject: [PATCH] Created CVE-2014-0165 (markdown)

---
 CVE-2014-0165.md | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 CVE-2014-0165.md

diff --git a/CVE-2014-0165.md b/CVE-2014-0165.md
new file mode 100644
index 0000000..81427ea
--- /dev/null
+++ b/CVE-2014-0165.md
@@ -0,0 +1,9 @@
+Using the bulk edit feature you can publish posts and pages PUBLICLY without the publishing-cap. The problem is that there are no checks for publishing-cap's on serverside. It's only protected in UI.
+
+How to reproduce:
+1. Login as contributor
+2. Create a draft post
+3. Mark the draft in post list and open the bulk edit form
+4. Make use of tools like Firebug to change a value in the status dropdown. You have to set the value of an entry to 'publish' 
+5. Select the changed status entry 
+6. Push the button and welcome to the next level
\ No newline at end of file