Arch Linux Security Advisory ASA-201409-4 ========================================= Severity: High Date : 2014-09-29 CVE-ID : CVE-7199 Package : mediawiki Type : Cross-site Scripting (XSS) Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package mediawiki before version 1.23.4-1 is vulnerable to Cross-site Scripting (XSS). Resolution ========== Upgrade to 1.23.4-1. # pacman -Syu "mediawiki>=1.23.4-1" The problem has been fixed upstream in version 1.23.4. Workaround ========== None. Description =========== It was discovered that MediaWiki, a wiki engine, did not sufficiently filter CSS in uploaded SVG files, allowing for cross site scripting. Impact ====== A remote attacker is able to upload a crafted SVG file to perform a cross site scripting attack. References ========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7199 https://bugzilla.wikimedia.org/show_bug.cgi?id=69008 https://bugs.archlinux.org/task/42161 https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-September/0001...