354341 – <www-apps/wordpress-3.0.5: XSS and Information disclosure (CVE-2011-{0700,0701})

Bug 354341 - <www-apps/wordpress-3.0.5: XSS and Information disclosure (CVE-2011-{0700,0701})

Summary: <www-apps/wordpress-3.0.5: XSS and Information disclosure (CVE-2011-{0700,0701})

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Gentoo Security

URL:	http://codex.wordpress.org/Version_3.0.5
Whiteboard:	~4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2011-02-10 10:44 UTC by Yury German
Modified:	2011-02-10 13:46 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Yury German Gentoo Infrastructure

2011-02-10 10:44:19 UTC

On February 7, 2011, WordPress 3.0.5 was released to the public. This is a security update for all previous WordPress versions.

Vulnerabilities are:
# Fix XSS bug: Properly encode title used in Quick/Bulk Edit, and offer
  additional sanitization to various fields. Affects users of the Author or
  Contributor role. (r17397, r17406, r17412)
# Fix XSS bug: Preserve tag escaping in the tags meta box. Affects users of
  the Author or Contributor role. (r17401)

CVE-2011-0700

# Fix potential information disclosure of posts through the media uploader.
  Affects users of the Author role. (r17393)

CVE-2011-0701

Comment 1 Tim Sammut (RETIRED) gentoo-dev

2011-02-10 13:46:06 UTC

Fixed version of wordpress is in the tree. No stabilization required.