Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 508976 (CVE-2014-2853) - <www-apps/mediawiki-{1.19.16,1.21.10,1.22.7}: XSS in action=info (CVE-2014-2853)
Summary: <www-apps/mediawiki-{1.19.16,1.21.10,1.22.7}: XSS in action=info (CVE-2014-2853)
Status: RESOLVED FIXED
Alias: CVE-2014-2853
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-28 13:45 UTC by Agostino Sarubbo
Modified: 2014-08-25 22:42 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-04-28 13:45:40 UTC
From ${URL} :

The MediaWiki 1.22.6 and 1.21.9 releases fix a cross-site scripting issue. Viewing a malicious page with 
action=info could lead to arbitrary web script execution in the context of the victim's session.

This issue does not appear to affect any version in EPEL.

References:

http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-April/000149.html
https://bugzilla.wikimedia.org/show_bug.cgi?id=63251
https://github.com/wikimedia/mediawiki-core/commit/0b695ae09aada343ab59be4a3c9963995a1143b6


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2014-06-16 04:20:45 UTC
This bug is being addressed in part of stabilization of Bug 512354 with versions:

www-apps/mediawiki-{1.19.16,1.21.10,1.22.7}
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-07-06 20:34:48 UTC
CVE-2014-2853 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2853):
  Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php
  in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers
  to inject arbitrary web script or HTML via the sort key in an info action.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-07-06 20:36:13 UTC
no GLSA for Cross Site Scripting

Maintainer(s), please drop the vulnerable version.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-08-25 20:15:00 UTC
Maintainer(s), please drop the vulnerable version - we would love to close this bug.
Comment 5 Chris Reffett (RETIRED) gentoo-dev Security 2014-08-25 22:42:55 UTC
Maintainer timeout, cleanup done, closing noglsa.