mediawiki: multiple vulnerabilities
| Package(s): | mediawiki | CVE #(s): | CVE-2013-6454 CVE-2014-9477 CVE-2014-9478 CVE-2014-9479 CVE-2014-9480 CVE-2014-9481 CVE-2014-9487 CVE-2014-9507 | ||||
| Created: | February 9, 2015 | Updated: | February 11, 2015 | ||||
| Description: | From the CVE entries:
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via a -o-link attribute. (CVE-2013-6454) Multiple cross-site scripting (XSS) vulnerabilities in the Listings extension for MediaWiki allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) url parameter. (CVE-2014-9477) Cross-site scripting (XSS) vulnerability in the preview in the ExpandTemplates extension for MediaWiki, when $wgRawHTML is set to true, allows remote attackers to inject arbitrary web script or HTML via the wpInput parameter to the Special:ExpandTemplates page. (CVE-2014-9478) Cross-site scripting (XSS) vulnerability in the preview in the TemplateSandbox extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via the text parameter to Special:TemplateSandbox. (CVE-2014-9479) Cross-site scripting (XSS) vulnerability in the Hovercards extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via vectors related to text extracts. (CVE-2014-9480) MediaWiki 1.21.x, 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgContentHandlerUseDB is enabled, allows remote attackers to conduct cross-site scripting (XSS) attacks by setting the content model for a revision to JS. (CVE-2014-9507) CVE-2014-9481 and CVE-2014-9487 are unspecified. | ||||||
| Alerts: |
| ||||||