Bug 80729

Summary:	www-apps/mediawiki: Unspecified Cross-Site Scripting Vulnerability
Product:	Gentoo Security	Reporter:	Jean-François Brunette (RETIRED) <formula7>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	web-apps
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
URL:	http://secunia.com/advisories/14125/
Whiteboard:	B4 [noglsa]
Package list:		Runtime testing required:	---

Description Jean-François Brunette (RETIRED) gentoo-dev

2005-02-04 08:24:03 UTC

I know that version 1.3.10 is already in portage, but there is also the 1.3.9 version

----------------------
Description:
A vulnerability has been reported in MediaWiki, which can be exploited by malicious people to conduct cross-site scripting attacks.

Some unspecified input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.

Successful exploitation requires user to be authenticated.

Solution:
Update to version 1.3.10.
http://sourceforge.net/project/showfiles.php?group_id=34373

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-02-04 08:28:48 UTC

InCVS and ready to fly. Security, please vote on GLSA need.
"Successful exploitation requires user to be authenticated." --> I vote NO.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-02-04 09:25:02 UTC

I vote NO.

web-apps please remove old vulnerable ebuilds.

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-02-28 12:58:58 UTC

done in GLSA 200502-33