Bug 437754 (CVE-2008-1304) - CVE-2008-1304 wordpress: multiple XSS issues in invite action
Summary: CVE-2008-1304 wordpress: multiple XSS issues in invite action
Alias: CVE-2008-1304
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard: source=cve,reported=20080312,public=2...
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2008-03-17 08:58 UTC by Tomas Hoger
Modified: 2016-03-04 12:19 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-12-23 16:41:59 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Tomas Hoger 2008-03-17 08:58:00 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1304 to the following vulnerability:

Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.3.2
allow remote attackers to inject arbitrary web script or HTML via the
(1) inviteemail parameter in an invite action to wp-admin/users.php
and the (2) to parameter in a sent action to wp-admin/invites.php.


Comment 1 Tomas Hoger 2008-03-17 09:08:58 UTC
I'm quite confused by this CVE id and it's description.  Original report
mentions WP 2.3.2, but there is not invites.php or actually no 'invite' anywhere
in the WP 2.3.2 or 2.3.3 sources.

So this seems to affect either some customized WP version, WP with some plugin
or multi-user WP (WPMU, http://mu.wordpress.org/, reported to power
wordpress.com blogs).  WPMU does have invite functionality, but its latest
version is 1.3.3 (according to the download page).

Comment 2 Adrian Reber 2008-03-17 12:40:06 UTC
So it sounds like we do not have to do anything, right?

All supported Fedora versions are using 2.3.3. The CVE is only talking about 2.3.2.

So for now, I would say, we do not need to react.

Comment 3 Tomas Hoger 2008-03-17 12:57:27 UTC
CVE description only mentions 2.3.2, as that's what is listed in the initial
report (second link in comment #0 in this bug).  As I mentioned above, it does
not even seem to affect WP 2.3.2.

So unless anyone can see something obvious I may be overlooking, I'm tempted to
close-notabug this.

Note You need to log in before you can comment on or make changes to this bug.