Bug 437754 - (CVE-2008-1304) CVE-2008-1304 wordpress: multiple XSS issues in invite action
CVE-2008-1304 wordpress: multiple XSS issues in invite action
Status: CLOSED UPSTREAM
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
source=cve,reported=20080312,public=2...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-17 04:58 EDT by Tomas Hoger
Modified: 2016-03-04 07:19 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-23 11:41:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-03-17 04:58:00 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1304 to the following vulnerability:

Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.3.2
allow remote attackers to inject arbitrary web script or HTML via the
(1) inviteemail parameter in an invite action to wp-admin/users.php
and the (2) to parameter in a sent action to wp-admin/invites.php.

http://www.securityfocus.com/archive/1/archive/1/489241/100/0/threaded
http://www.hackerscenter.com/index.php?/Latest-posts/114-WordPress-Multiple-Cross-Site-Scripting-Vulnerabilities.html?id=114
http://www.securityfocus.com/bid/28139
http://securitytracker.com/id?1019564
http://xforce.iss.net/xforce/xfdb/41056
http://xforce.iss.net/xforce/xfdb/41055
Comment 1 Tomas Hoger 2008-03-17 05:08:58 EDT
I'm quite confused by this CVE id and it's description.  Original report
mentions WP 2.3.2, but there is not invites.php or actually no 'invite' anywhere
in the WP 2.3.2 or 2.3.3 sources.

So this seems to affect either some customized WP version, WP with some plugin
or multi-user WP (WPMU, http://mu.wordpress.org/, reported to power
wordpress.com blogs).  WPMU does have invite functionality, but its latest
version is 1.3.3 (according to the download page).
Comment 2 Adrian Reber 2008-03-17 08:40:06 EDT
So it sounds like we do not have to do anything, right?

All supported Fedora versions are using 2.3.3. The CVE is only talking about 2.3.2.

So for now, I would say, we do not need to react.
Comment 3 Tomas Hoger 2008-03-17 08:57:27 EDT
CVE description only mentions 2.3.2, as that's what is listed in the initial
report (second link in comment #0 in this bug).  As I mentioned above, it does
not even seem to affect WP 2.3.2.

So unless anyone can see something obvious I may be overlooking, I'm tempted to
close-notabug this.

Note You need to log in before you can comment on or make changes to this bug.