235912 – (CVE-2007-1897) CVE-2007-1893, CVE-2007-1897: wordpress < 2.1.3 issues

Bug 235912 (CVE-2007-1897) - CVE-2007-1893, CVE-2007-1897: wordpress < 2.1.3 issues

Summary: CVE-2007-1893, CVE-2007-1897: wordpress < 2.1.3 issues

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	CVE-2007-1897
Product:	Fedora
Classification:	Fedora
Component:	wordpress
Sub Component:
Version:	6
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	John Berninger
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-04-10 18:57 UTC by Ville Skyttä
Modified:	2007-11-30 22:12 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-04-16 15:22:34 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Ville Skyttä 2007-04-10 18:57:27 UTC

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1893
"WordPress 2.1.2, and probably earlier, allows remote authenticated users with
the contributor role to bypass intended access restrictions and invoke the
publish_posts functionality, which can be used to "publish a previously saved
post.""

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1897
"SQL injection vulnerability in xmlrpc.php in WordPress 2.1.2, and probably
earlier, allows remote authenticated users to execute arbitrary SQL commands via
a string parameter value in an XML RPC mt.setPostCategories method call, related
to the post_id variable."

All active FE releases have 2.1.3-RC2 which seems affected.  2.1.3 final is said
to fix these issues.

Comment 1 John Berninger 2007-04-16 15:22:34 UTC

New packages built (2.1.3 final)

Note You need to log in before you can comment on or make changes to this bug.