User: Password:
Subscribe / Log in / New account

mediawiki: multiple vulnerabilities

Package(s):mediawiki CVE #(s):CVE-2013-1951
Created:April 30, 2013 Updated:May 1, 2013
Description: From the Red Hat bugzilla:

Three flaws were corrected in the recently-released MediaWiki 1.20.4 and 1.19.5 releases:

* An internal review discovered that specially crafted Lua function names could lead to cross-site scripting. MediaWiki bug 46084

* Daniel Franke reported that during SVG parsing, MediaWiki failed to prevent XML external entity (XXE) processing. This could lead to local file disclosure, or potentially remote command execution in environments that have enabled expect:// handling. MediaWiki bug 46859

* Internal review also discovered that Special:Import, and Extension:RSS failed to prevent XML external entity (XXE) processing. MediaWiki bug 47251

CVE-2013-1951 was assigned to the first issue (the XSS), the other two do not have CVEs assigned as per a discussion on oss-sec.

Gentoo 201310-21 mediawiki 2013-10-28
Fedora FEDORA-2013-5874 mediawiki 2013-04-25
Fedora FEDORA-2013-6170 mediawiki 2013-04-30
Fedora FEDORA-2013-6171 mediawiki 2013-04-30

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds