Red Hat Bugzilla – Bug 512900
CVE-2009-2851 WordPress: XSS via unescaped HTML URLs as author comments in the admin page
Last modified: 2016-03-04 05:43:39 EST
From WordPress blog: WordPress 2.8.2 fixes an XSS vulnerability. Comment author URLs were not fully sanitized when displayed in the admin. This could be exploited to redirect you away from the admin to another site. References: ----------- http://wordpress.org/development/2009/07/wordpress-2-8-2/ http://bugs.gentoo.org/show_bug.cgi?id=278492 Note: Please be sure to mention CVE identifier in the WordPress's rpm Changelog when scheduling Fedora updates / addressing this flaw.
Is there already a CVE identifier assigned? Should I wait with the update until there is a CVE identifier available?
CVE for this issue was requested here: http://www.openwall.com/lists/oss-security/2009/07/21/1 Would be better to have CVE identifier associated with the fix, but if it isn't assigned in two days (you will notice, as this bug will be updated with it), go ahead and schedule the Fedora WordPress updates. But for now please wait a little bit (for it). Thanks, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
It has been a few days without any news. I would really like to push the updates. It is somehow silly to wait if the update is already available.
wordpress-2.8.2-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/wordpress-2.8.2-1.fc11
wordpress-2.8.2-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/wordpress-2.8.2-1.fc10
wordpress-2.8.2-1.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/wordpress-2.8.2-1.el5
wordpress-2.8.2-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
wordpress-2.8.2-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
wordpress-2.8.2-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
MITRE's CVE-2009-2851 record: ----------------------------- Cross-site scripting (XSS) vulnerability in the administrator interface in WordPress before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via a comment author URL. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2851 http://www.openwall.com/lists/oss-security/2009/07/21/1 http://bugs.gentoo.org/show_bug.cgi?id=278492 http://wordpress.org/development/2009/07/wordpress-2-8-2/ https://www.redhat.com/archives/fedora-package-announce/2009-July/msg01241.html https://www.redhat.com/archives/fedora-package-announce/2009-July/msg01253.html http://securitytracker.com/id?1022589