Summary: | <www-apps/mediawiki-{1.19.9,1.20.8,1.21.3}: Multiple vulnerabilities (CVE-2013-{4567,4568,4569}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Xu (Hello71) <alex_y_xu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | cyberbat83, daniel, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Alex Xu (Hello71)
2013-11-14 22:11:37 UTC
Arches, please stabilize: =www-apps/mediawiki-1.19.9 =www-apps/mediawiki-1.20.8 =www-apps/mediawiki-1.21.3 amd64 stable x86 stable ppc stable. Maintainer(s), please cleanup. Security, please vote. Maintainer(s), Thank you for cleanup! Thanks for your work. GLSA vote: no GLSA vote: no. Closing noglsa. CVE-2013-4569 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4569): The CleanChanges extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3, when "Group changes by page in recent changes and watchlist" is enabled, allows remote attackers to obtain sensitive information (revision-deleted IPs) via the Recent Changes page. CVE-2013-4568 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4568): Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via certain non-ASCII characters in CSS, as demonstrated using variations of "expression" containing (1) full width characters or (2) IPA extensions, which are converted and rendered by Internet Explorer. CVE-2013-4567 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4567): Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via a \b (backspace) character in CSS. |