Debian: DSA-2891-2 Critical Update: MediaWiki Multiple Issues
debian
March 31, 2014
In the Mediawiki update issued as DSA 2891-1, a few files were missing from the package
Summary
Several vulnerabilities were discovered in MediaWiki, a wiki engine.
The Common Vulnerabilities and Exposures project describers the followin
issues:
CVE-2013-2031
Cross-site scripting attack via valid UTF-7 encoded sequences
in a SVG file.
CVE-2013-4567 & CVE-2013-4568
Kevin Israel (Wikipedia user PleaseStand) reported two ways
to inject Javascript due to an incomplete blacklist in the
CSS sanitizer function.
CVE-2013-4572
MediaWiki and the CentralNotice extension were incorrectly setting
cache headers when a user was autocreated, causing the user's
session cookies to be cached, and returned to other users.
CVE-2013-6452
Chris from RationalWiki reported that SVG files could be
uploaded that include external stylesheets, which could lead to
XSS when an XSL was used to include JavaScript.
CVE-2013-6453
MediaWiki's SVG sanitization could be bypassed when the XML was
considered invalid.
CVE-2013-6454
MediaWiki's CSS sanitization did not filter -o-link ...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: mediawiki, mediawiki-extensions
CVE ID: CVE-2013-2031 CVE-2013-4567 CVE-2013-4568 CVE-2013-4572
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!