[arch-security] [Arch Linux Security Advisory ASA-201409-4] mediawiki: Cross-site Scripting (XSS)

Levente Polyak levente at leventepolyak.net
Mon Sep 29 12:12:32 UTC 2014


Arch Linux Security Advisory ASA-201409-4
=========================================

Severity: High
Date    : 2014-09-29
CVE-ID  : CVE-7199
Package : mediawiki
Type    : Cross-site Scripting (XSS)
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE-2014

Summary
=======

The package mediawiki before version 1.23.4-1 is
vulnerable to Cross-site Scripting (XSS).

Resolution
==========

Upgrade to 1.23.4-1.

# pacman -Syu "mediawiki>=1.23.4-1"

The problem has been fixed upstream in version 1.23.4.

Workaround
==========

None.

Description
===========

It was discovered that MediaWiki, a wiki engine, did not sufficiently
filter CSS in uploaded SVG files, allowing for cross site scripting.

Impact
======

A remote attacker is able to upload a crafted SVG file to perform a
cross site scripting attack.

References
==========

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7199
https://bugzilla.wikimedia.org/show_bug.cgi?id=69008
https://bugs.archlinux.org/task/42161
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-September/000161.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20140929/478e5c10/attachment.bin>


More information about the arch-security mailing list