FS#42161 - [mediawiki] CVE-2014-7199

Attached to Project: Community Packages
Opened by Levente Polyak (anthraxx) - Sunday, 28 September 2014, 15:24 GMT
Last edited by Sergej Pupykin (sergej) - Monday, 29 September 2014, 10:18 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Sergej Pupykin (sergej)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Hello,

mediawiki <= 1.23.3 is vulnerable to a cross side scripting bug [0][1][2].

It was discovered that MediaWiki, a wiki engine, did not sufficiently filter CSS in uploaded SVG files, allowing for cross site scripting.

[0] https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-September/000161.html
[1] http://seclists.org/oss-sec/2014/q3/774
[2] https://bugzilla.wikimedia.org/show_bug.cgi?id=69008
This task depends upon

Closed by  Sergej Pupykin (sergej)
Monday, 29 September 2014, 10:18 GMT
Reason for closing:  Fixed
Additional comments about closing:  updated to 1.23.4
Comment by Levente Polyak (anthraxx) - Sunday, 28 September 2014, 15:38 GMT
Sorry, i missed the recommendation part:

A fix for this flaw has been commited upstream and is resolved in mediawiki >= 1.23.4 [0]

[0] https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-September/000161.html
Comment by Levente Polyak (anthraxx) - Sunday, 28 September 2014, 20:33 GMT
Sorry, my E-Mail to Pierre was misleading, this report should file the community package, which is still affected from this vulnerability.

Loading...