Arch Linux Security Advisory ASA-201409-4
========================================
Severity: High
Date    : 2014-09-29
CVE-ID  : CVE-7199
Package : mediawiki
Type    : Cross-site Scripting (XSS)
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE-2014

Summary
======
The package mediawiki before version 1.23.4-1 is
vulnerable to Cross-site Scripting (XSS).

Resolution
=========
Upgrade to 1.23.4-1.

# pacman -Syu "mediawiki>=1.23.4-1"

The problem has been fixed upstream in version 1.23.4.

Workaround
=========
None.

Description
==========
It was discovered that MediaWiki, a wiki engine, did not sufficiently
filter CSS in uploaded SVG files, allowing for cross site scripting.

Impact
=====
A remote attacker is able to upload a crafted SVG file to perform a
cross site scripting attack.

References
=========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7199
https://phabricator.wikimedia.org/T71008
https://bugs.archlinux.org/task/42161
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/7CRASJKGBFVXEHSNWKNX3UHOF3IJSBS5/