Arch Linux Security Advisory ASA-201410-3
========================================
Severity: Medium
Date    : 2014-10-04
CVE-ID  : CVE-2014-7295
Package : mediawiki
Type    : Cross-site Scripting (XSS) and UI redressing
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE-2014

Summary
======
The package mediawiki before version 1.23.5-1 is vulnerable to
Cross-site Scripting (XSS) and UI redressing.

Resolution
=========
Upgrade to 1.23.5-1.

# pacman -Syu "mediawiki>=1.23.5-1"

The problem has been fixed upstream in version 1.23.5.

Workaround
=========
None.

Description
==========
It was discovered that MediaWiki, a wiki engine, was separating the
allowance of css and js modules resulting in Cross-site Scripting (XSS)
and UI redressing issues.

Impact
=====
A remote attacker is able to perform Cross-site Scripting (XSS) and/or
UI redressing attacks on affected MediaWiki pages.

References
=========
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7295
https://phabricator.wikimedia.org/T72672
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/7CSMXENGLTDHTBNNLZ6G2MA3GJRQL3ES/
https://www.openwall.com/lists/oss-security/2014/10/02/36