I think 1.20.8 is also affected since it's not available for download, but waiting for CVE.
* Durign internal review, it was discovered that MediaWiki's CSS sanitization did not filter -o-link attributes, which could be used to execute JavaScript in Opera 12. (CVE-2013-6454) <https://bugzilla.wikimedia.org/show_bug.cgi?id=58472> Is it stretching it to call this B2? "Remote passive compromise: remote execution of arbitrary code by enticing a user to visit a malicious server or using malicious data"
Web code execution/XSS is B4.
Bumped. Arches, please test and stabilize: =www-apps/mediawiki-{1.19.10,1.21.4} Target arches: amd64 ppc x86
amd64 stable
x86 stable
ppc stable @security, please vote @maintainers. please cleanup
Cleanup complete.
GLSA vote: yes
CVE-2013-6454 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6454): Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via a -o-link attribute. CVE-2013-6453 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6453): MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 does not properly sanitize SVG files, which allows remote attackers to have unspecified impact via invalid XML. CVE-2013-6452 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6452): Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via crafted XSL in an SVG file.
Adding to existing GLSA request.
CVE-2013-6472 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6472): MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain information about deleted page via the (1) log API, (2) enhanced RecentChanges, and (3) user watchlists.
This issue was resolved and addressed in GLSA 201502-04 at http://security.gentoo.org/glsa/glsa-201502-04.xml by GLSA coordinator Kristian Fiskerstrand (K_F).