Adsons

    ArchLinux: 201409-4: mediawiki: Cross-site Scripting (XSS)

    Date29 Sep 2014
    CategoryArchLinux
    65
    Posted ByLinuxSecurity Advisories
    The package mediawiki before version 1.23.4-1 is vulnerable to Cross-site Scripting (XSS).
    Arch Linux Security Advisory ASA-201409-4
    =========================================
    
    Severity: High
    Date    : 2014-09-29
    CVE-ID  : CVE-7199
    Package : mediawiki
    Type    : Cross-site Scripting (XSS)
    Remote  : Yes
    Link    : https://wiki.archlinux.org/index.php/CVE-2014
    
    Summary
    =======
    
    The package mediawiki before version 1.23.4-1 is
    vulnerable to Cross-site Scripting (XSS).
    
    Resolution
    ==========
    
    Upgrade to 1.23.4-1.
    
    # pacman -Syu "mediawiki>=1.23.4-1"
    
    The problem has been fixed upstream in version 1.23.4.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    It was discovered that MediaWiki, a wiki engine, did not sufficiently
    filter CSS in uploaded SVG files, allowing for cross site scripting.
    
    Impact
    ======
    
    A remote attacker is able to upload a crafted SVG file to perform a
    cross site scripting attack.
    
    References
    ==========
    
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7199
    https://bugzilla.wikimedia.org/show_bug.cgi?id=69008
    https://bugs.archlinux.org/task/42161
    https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-September/000161.html
    
    

    Comments powered by CComment

    Sidebar Ad

    LinuxSecurity Poll

    Does your company/organization utilize open-source software?

    Message!

    Poll results are hidden from public viewing.

    You are not authorized to vote on this poll.

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    5
    radio
    bottom200

    Advisories