oss-security - CVE-request: WordPress advanced-text-widget XSS advancedtext.php?page=

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-ID: <20111218094528.GA22411@foo.fgeek.fi>
Date: Sun, 18 Dec 2011 11:45:28 +0200
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Subject: CVE-request: WordPress advanced-text-widget XSS
 advancedtext.php?page=

Can I get CVE-identifier for this issue?

Original report: http://seclists.org/bugtraq/2011/Nov/133
Vendor report: http://wordpress.org/support/topic/wordpress-advanced-text-widget-plugin-cross-site-scripting-vulnerabilities
Fixed in 2.0.2
Vulnerable versions: 2.0.1 and all below
One example: advancedtext.php?page=

http://wordpress.org/extend/plugins/advanced-text-widget/changelog/
------------------------------------------------------------------------
r466102 | maxchirkov | 2011-11-22 19:32:02 +0200 (Tue, 22 Nov 2011) | 2 lines

Committing version 2.0.2
- Updated all instances of $_GET method with esc_attr() to improve security.
------------------------------------------------------------------------

- Henri Salo

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.