[arch-security] [Arch Linux Security Advisory ASA-201409-4] mediawiki: Cross-site Scripting (XSS)
Levente Polyak
levente at leventepolyak.net
Mon Sep 29 12:12:32 UTC 2014
Arch Linux Security Advisory ASA-201409-4
=========================================
Severity: High
Date : 2014-09-29
CVE-ID : CVE-7199
Package : mediawiki
Type : Cross-site Scripting (XSS)
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE-2014
Summary
=======
The package mediawiki before version 1.23.4-1 is
vulnerable to Cross-site Scripting (XSS).
Resolution
==========
Upgrade to 1.23.4-1.
# pacman -Syu "mediawiki>=1.23.4-1"
The problem has been fixed upstream in version 1.23.4.
Workaround
==========
None.
Description
===========
It was discovered that MediaWiki, a wiki engine, did not sufficiently
filter CSS in uploaded SVG files, allowing for cross site scripting.
Impact
======
A remote attacker is able to upload a crafted SVG file to perform a
cross site scripting attack.
References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7199
https://bugzilla.wikimedia.org/show_bug.cgi?id=69008
https://bugs.archlinux.org/task/42161
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-September/000161.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20140929/478e5c10/attachment.bin>
More information about the arch-security
mailing list