Package: wordpress Severity: important Hi
There are three CVE numbers[0][1][2] issued for wordpress. Unfortunately, they do not tell me a lot. Can you maybe have a look at them and checkout, if they affect the current debian versions? The three texts say: CVE-2007-1599: wp-login.php in WordPress allows remote attackers to redirect authenticated users to other websites and potentially obtain sensitive information via the redirect_to parameter. CVE-2007-2627: Cross-site scripting (XSS) vulnerability in sidebar.php in WordPress, when custom 404 pages that call get_sidebar are used, allows remote attackers to inject arbitrary web script or HTML via the query string (PHP_SELF), a different vulnerability than CVE-2007-1622. CVE-2007-3238: Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress 2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php, a different vulnerability than CVE-2007-1622. NOTE: this might not cross privilege boundaries in some configurations, since the Administrator role has the unfiltered_html capability. Please also note the CVE numbers in the changelog, if you should decide to include fixes. Cheers Steffen [0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1599 [1]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2627 [2]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3238 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
