Summary: | <www-apps/mediawiki-{1.19.10,1.21.4,1.22.1}: Multiple vulnerabilities (CVE-2013-{6451,6452,6453,6454,6472}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Xu (Hello71) <alex_y_xu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.gossamer-threads.com/lists/wiki/mediawiki/423808?do=post_view_threaded | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 499632 |
Description
Alex Xu (Hello71)
2014-01-14 12:13:19 UTC
* Durign internal review, it was discovered that MediaWiki's CSS sanitization did not filter -o-link attributes, which could be used to execute JavaScript in Opera 12. (CVE-2013-6454) <https://bugzilla.wikimedia.org/show_bug.cgi?id=58472> Is it stretching it to call this B2? "Remote passive compromise: remote execution of arbitrary code by enticing a user to visit a malicious server or using malicious data" Web code execution/XSS is B4. Bumped. Arches, please test and stabilize: =www-apps/mediawiki-{1.19.10,1.21.4} Target arches: amd64 ppc x86 amd64 stable x86 stable ppc stable @security, please vote @maintainers. please cleanup Cleanup complete. GLSA vote: yes CVE-2013-6454 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6454): Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via a -o-link attribute. CVE-2013-6453 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6453): MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 does not properly sanitize SVG files, which allows remote attackers to have unspecified impact via invalid XML. CVE-2013-6452 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6452): Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via crafted XSL in an SVG file. Adding to existing GLSA request. CVE-2013-6472 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6472): MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain information about deleted page via the (1) log API, (2) enhanced RecentChanges, and (3) user watchlists. This issue was resolved and addressed in GLSA 201502-04 at http://security.gentoo.org/glsa/glsa-201502-04.xml by GLSA coordinator Kristian Fiskerstrand (K_F). |