CVE-2007-1622

NameCVE-2007-1622
DescriptionCross-site scripting (XSS) vulnerability in wp-admin/vars.php in WordPress before 2.0.10 RC2, and before 2.1.3 RC2 in the 2.1 series, allows remote authenticated users with theme privileges to inject arbitrary web script or HTML via the PATH_INFO in the administration interface, related to loose regular expression processing of PHP_SELF.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-1285-1
NVD severitymedium (attack range: remote, user-initiated)
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
wordpress (PTS)squeeze (security), squeeze3.6.1+dfsg-1~deb6u4fixed
squeeze (lts)3.6.1+dfsg-1~deb6u5fixed
wheezy, wheezy (security)3.6.1+dfsg-1~deb7u5fixed
jessie4.1+dfsg-1fixed
sid4.1.1+dfsg-1fixed

The information above is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
wordpresssource(unstable)2.1.3-1medium
wordpresssourceetch2.0.10-1mediumDSA-1285-1

Search for package or bug name: Reporting problems