Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 19 Dec 2011 10:37:31 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>
Subject: Re: CVE-request: WordPress advanced-text-widget XSS
 advancedtext.php?page=

On 12/18/2011 02:45 AM, Henri Salo wrote:
> Can I get CVE-identifier for this issue?
>
> Original report: http://seclists.org/bugtraq/2011/Nov/133
> Vendor report: http://wordpress.org/support/topic/wordpress-advanced-text-widget-plugin-cross-site-scripting-vulnerabilities
> Fixed in 2.0.2
> Vulnerable versions: 2.0.1 and all below
> One example: advancedtext.php?page=
>
> http://wordpress.org/extend/plugins/advanced-text-widget/changelog/
> ------------------------------------------------------------------------
> r466102 | maxchirkov | 2011-11-22 19:32:02 +0200 (Tue, 22 Nov 2011) | 2 lines
>
> Committing version 2.0.2
> - Updated all instances of $_GET method with esc_attr() to improve security.
> ------------------------------------------------------------------------
>
> - Henri Salo
Please use CVE-2011-4618 for this issue.

-- 

-Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ