Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 278492 - <www-apps/wordpress-2.8.2 XSS Vulnerability in Comment author URLs (CVE-2009-2851)
Summary: <www-apps/wordpress-2.8.2 XSS Vulnerability in Comment author URLs (CVE-2009-...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://wordpress.org/development/2009...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-20 18:22 UTC by Jeroen Roovers
Modified: 2009-08-19 09:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers gentoo-dev 2009-07-20 18:22:44 UTC
"WordPress 2.8.2 fixes an XSS vulnerability. Comment author URLs were not
   fully sanitized when displayed in the admin. This could be exploited to
   redirect you away from the admin to another site."
Comment 1 Tobias Scherbaum (RETIRED) gentoo-dev 2009-07-20 18:44:47 UTC
2.8.2 in CVS.
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-07-20 18:51:26 UTC
Changeset:
http://core.trac.wordpress.org/changeset?new=11730%40branches&old=11701%40branches

No further references available atm.

And thanks for the uberfast bump.
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-19 09:40:36 UTC
CVE-2009-2851 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2851):
  Cross-site scripting (XSS) vulnerability in the administrator
  interface in WordPress before 2.8.2 allows remote attackers to inject
  arbitrary web script or HTML via a comment author URL.