Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 278492

Summary: <www-apps/wordpress-2.8.2 XSS Vulnerability in Comment author URLs (CVE-2009-2851)
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://wordpress.org/development/2009/07/wordpress-2-8-2/
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Jeroen Roovers (RETIRED) gentoo-dev 2009-07-20 18:22:44 UTC 
"WordPress 2.8.2 fixes an XSS vulnerability. Comment author URLs were not
   fully sanitized when displayed in the admin. This could be exploited to
   redirect you away from the admin to another site."
Comment 1 Tobias Scherbaum (RETIRED) gentoo-dev 2009-07-20 18:44:47 UTC 
2.8.2 in CVS.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-20 18:51:26 UTC 
Changeset:
http://core.trac.wordpress.org/changeset?new=11730%40branches&old=11701%40branches

No further references available atm.

And thanks for the uberfast bump.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-19 09:40:36 UTC 
CVE-2009-2851 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2851):
  Cross-site scripting (XSS) vulnerability in the administrator
  interface in WordPress before 2.8.2 allows remote attackers to inject
  arbitrary web script or HTML via a comment author URL.