Arch Linux Security Advisory ASA-201410-3 ========================================= Severity: Medium Date : 2014-10-04 CVE-ID : CVE-2014-7295 Package : mediawiki Type : Cross-site Scripting (XSS) and UI redressing Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package mediawiki before version 1.23.5-1 is vulnerable to Cross-site Scripting (XSS) and UI redressing. Resolution ========== Upgrade to 1.23.5-1. # pacman -Syu "mediawiki>=1.23.5-1" The problem has been fixed upstream in version 1.23.5. Workaround ========== None. Description =========== It was discovered that MediaWiki, a wiki engine, was separating the allowance of css and js modules resulting in Cross-site Scripting (XSS) and UI redressing issues. Impact ====== A remote attacker is able to perform Cross-site Scripting (XSS) and/or UI redressing attacks on affected MediaWiki pages. References ========== https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7295 https://bugzilla.wikimedia.org/show_bug.cgi?id=70672 https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-October/000163... http://www.openwall.com/lists/oss-security/2014/10/02/36