Common Vulnerabilities and Exposures assigned an identifier CVE-2011-0740 to the following vulnerability: Name: CVE-2011-0740 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0740 Assigned: 20110201 Reference: http://www.autosectools.com/Advisories/WordPress.RSS.Feed.Reader.for.WordPress.0.1_Reflected.Cross-site.Scripting_82.html Reference: http://www.securityfocus.com/bid/45997 Reference: http://osvdb.org/70644 Reference: http://secunia.com/advisories/43071 Reference: http://xforce.iss.net/xforce/xfdb/64949 Cross-site scripting (XSS) vulnerability in magpie/scripts/magpie_slashbox.php in RSS Feed Reader 0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the rss_url parameter. Note that this wordpress plugin is not shipped, but seems to be using the same magpierss that we ship. At any rate I've verified the XSS in magpierss 0.72. To fix this, the following should work: 6 $url = htmlspecialchars($_GET['rss_url']); (using htmlspecialchars()). I've not looked to see if there are any other similar occurances. I don't expect upstream to fix anything as 0.72 was released in 2005 and that is the latest version.
Created php-magpierss tracking bugs for this issue Affects: fedora-all [bug 674680] Affects: epel-all [bug 674681]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.