|Created:||April 30, 2013||Updated:||May 1, 2013|
|Description:||From the Red Hat bugzilla:
Three flaws were corrected in the recently-released MediaWiki 1.20.4 and 1.19.5 releases:
* An internal review discovered that specially crafted Lua function names could lead to cross-site scripting. MediaWiki bug 46084
* Daniel Franke reported that during SVG parsing, MediaWiki failed to prevent XML external entity (XXE) processing. This could lead to local file disclosure, or potentially remote command execution in environments that have enabled expect:// handling. MediaWiki bug 46859
* Internal review also discovered that Special:Import, and Extension:RSS failed to prevent XML external entity (XXE) processing. MediaWiki bug 47251
CVE-2013-1951 was assigned to the first issue (the XSS), the other two do not have CVEs assigned as per a discussion on oss-sec.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds