80729 – www-apps/mediawiki: Unspecified Cross-Site Scripting Vulnerability

Bug 80729 - www-apps/mediawiki: Unspecified Cross-Site Scripting Vulnerability

Summary: www-apps/mediawiki: Unspecified Cross-Site Scripting Vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/14125/
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2005-02-04 08:24 UTC by Jean-François Brunette (RETIRED)
Modified:	2005-02-28 12:58 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jean-François Brunette (RETIRED) gentoo-dev

2005-02-04 08:24:03 UTC

I know that version 1.3.10 is already in portage, but there is also the 1.3.9 version

----------------------
Description:
A vulnerability has been reported in MediaWiki, which can be exploited by malicious people to conduct cross-site scripting attacks.

Some unspecified input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.

Successful exploitation requires user to be authenticated.

Solution:
Update to version 1.3.10.
http://sourceforge.net/project/showfiles.php?group_id=34373

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-02-04 08:28:48 UTC

InCVS and ready to fly. Security, please vote on GLSA need.
"Successful exploitation requires user to be authenticated." --> I vote NO.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-02-04 09:25:02 UTC

I vote NO.

web-apps please remove old vulnerable ebuilds.

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-02-28 12:58:58 UTC

done in GLSA 200502-33