Remote Exploits: multiple vulnerabilities
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
wordpress (Ubuntu) |
Confirmed
|
Medium
|
Unassigned |
Bug Description
Binary package hint: wordpress
NOTE: please fix dapper as well!
Package : wordpress
Vulnerability : several
Debian-specific: no
CVE Id(s) : CVE-2007-1622 CVE-2007-1893 CVE-2007-1894 CVE-2007-1897
CVE-2007-1622
Cross-site scripting (XSS) vulnerability in wp-admin/vars.php in
WordPress before 2.0.10 RC2, and before 2.1.3 RC2 in the 2.1 series,
allows remote authenticated users with theme privileges to inject
arbitrary web script or HTML via the PATH_INFO in the administration
interface, related to loose regular expression processing of PHP_SELF.
CVE-2007-1893
WordPress 2.1.2, and probably earlier, allows remote authenticated
users with the contributor role to bypass intended access restrictions
and invoke the publish_posts functionality, which can be used to
"publish a previously saved post."
CVE-2007-1894
Cross-site scripting (XSS) vulnerability in
wp-
remote attackers to inject arbitrary web script or HTML via the year
parameter in the wp_title function.
CVE-2007-1897
SQL injection vulnerability in xmlrpc.php in WordPress 2.1.2, and
probably earlier, allows remote authenticated users to execute
arbitrary SQL commands via a string parameter value in an XML RPC
mt.
Changed in wordpress: | |
importance: | Undecided → Medium |
status: | In Progress → Confirmed |
Confirmed, sighted on Debian Security Announce <email address hidden>