Summary: | <www-apps/wordpress-2.8.3: wp-admin/admin.php multiple vulnerabilities, incomplete fix of (CVE-2009-{2334,2853,2854}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | web-apps |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://wordpress.org/development/2009/08/wordpress-2-8-3-security-release/ | ||
Whiteboard: | ~1 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Alex Legler (RETIRED)
2009-08-04 17:19:30 UTC
+*wordpress-2.8.3 (04 Aug 2009) + + 04 Aug 2009; Tobias Scherbaum <dertobi123@gentoo.org> + -wordpress-2.8.2.ebuild, +wordpress-2.8.3.ebuild: + Bump for yet another security fix, #280346 + Thanks, closing. CVE-2009-2853 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2853): Wordpress before 2.8.3 allows remote attackers to gain privileges via a direct request to (1) admin-footer.php, (2) edit-category-form.php, (3) edit-form-advanced.php, (4) edit-form-comment.php, (5) edit-link-category-form.php, (6) edit-link-form.php, (7) edit-page-form.php, and (8) edit-tag-form.php in wp-admin/. CVE-2009-2854 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2854): Wordpress before 2.8.3 does not check capabilities for certain actions, which allows remote attackers to make unauthorized edits or additions via a direct request to (1) edit-comments.php, (2) edit-pages.php, (3) edit.php, (4) edit-category-form.php, (5) edit-link-category-form.php, (6) edit-tag-form.php, (7) export.php, (8) import.php, or (9) link-add.php in wp-admin/. |