Bug 437754 (CVE-2008-1304)

Summary: CVE-2008-1304 wordpress: multiple XSS issues in invite action
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: adrian, john
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1304
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-23 16:41:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-03-17 08:58:00 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1304 to the following vulnerability:

Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.3.2
allow remote attackers to inject arbitrary web script or HTML via the
(1) inviteemail parameter in an invite action to wp-admin/users.php
and the (2) to parameter in a sent action to wp-admin/invites.php.

http://www.securityfocus.com/archive/1/archive/1/489241/100/0/threaded
http://www.hackerscenter.com/index.php?/Latest-posts/114-WordPress-Multiple-Cross-Site-Scripting-Vulnerabilities.html?id=114
http://www.securityfocus.com/bid/28139
http://securitytracker.com/id?1019564
http://xforce.iss.net/xforce/xfdb/41056
http://xforce.iss.net/xforce/xfdb/41055
Comment 1 Tomas Hoger 2008-03-17 09:08:58 UTC 
I'm quite confused by this CVE id and it's description.  Original report
mentions WP 2.3.2, but there is not invites.php or actually no 'invite' anywhere
in the WP 2.3.2 or 2.3.3 sources.

So this seems to affect either some customized WP version, WP with some plugin
or multi-user WP (WPMU, http://mu.wordpress.org/, reported to power
wordpress.com blogs).  WPMU does have invite functionality, but its latest
version is 1.3.3 (according to the download page).
Comment 2 Adrian Reber 2008-03-17 12:40:06 UTC 
So it sounds like we do not have to do anything, right?

All supported Fedora versions are using 2.3.3. The CVE is only talking about 2.3.2.

So for now, I would say, we do not need to react.
Comment 3 Tomas Hoger 2008-03-17 12:57:27 UTC 
CVE description only mentions 2.3.2, as that's what is listed in the initial
report (second link in comment #0 in this bug).  As I mentioned above, it does
not even seem to affect WP 2.3.2.

So unless anyone can see something obvious I may be overlooking, I'm tempted to
close-notabug this.