95255 – www-apps/mediawiki HTML Attributes Cross-Site Scripting Vulnerability

Bug 95255 - www-apps/mediawiki HTML Attributes Cross-Site Scripting Vulnerability

Summary: www-apps/mediawiki HTML Attributes Cross-Site Scripting Vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Other

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/15590/
Whiteboard:	B4 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2005-06-06 12:44 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2005-06-13 14:41 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-06-06 12:44:29 UTC

It seems like we might not be affected, but filing in case anyone wants to bump.

A vulnerability has been reported in MediaWiki, which can be exploited by malicious people to conduct cross-site scripting attacks.
 
 Input passed to certain HTML attributes isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary script code in a user's browser session in context of a vulnerable site.
 
 The vulnerability has been reported in version 1.3.12 and 1.4.4. Prior versions may also be affected.

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-06-08 06:46:07 UTC

Versions 1.3.13 and 1.4.5 are in portage
Ready for a GLSA vote

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-06-08 07:38:57 UTC

I tend to vote YES.

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-06-10 04:33:47 UTC

I vote YES too (Low)

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-06-13 14:41:24 UTC

GLSA 200506-12