Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 512354 (CVE-2014-3966) - <www-apps/mediawiki-{1.19.16,1.21.10,1.22.7}: XSS flaw due to improper parsing of Special:PasswordReset (CVE-2014-3966)
Summary: <www-apps/mediawiki-{1.19.16,1.21.10,1.22.7}: XSS flaw due to improper parsin...
Alias: CVE-2014-3966
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on:
Reported: 2014-06-04 08:13 UTC by Agostino Sarubbo
Modified: 2014-08-25 22:42 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-06-04 08:13:00 UTC
From ${URL} :

New versions of MediaWiki have been announced [1] to fix the following flaw [2]:

XSS vulnerability in MediaWiki before 1.22.7, due to usernames on
Special:PasswordReset being parsed as wikitext.  The username on
Special:PasswordReset can be supplied by anyone and will be parsed with
wgRawHtml enabled.  Since Special:PasswordReset is whitelisted by default on
private wikis, this could potentially lead to an XSS crossing a privilege

This is corrected [3] in upstream versions 1.19.16, 1.21.10, and 1.22.7.  A CVE has been requested [4].


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Tim Harder gentoo-dev 2014-06-10 18:51:00 UTC
Arches please stabilize:

Comment 2 Agostino Sarubbo gentoo-dev 2014-06-13 21:45:15 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2014-06-13 21:45:37 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-07-05 12:54:40 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-07-06 20:13:19 UTC
CVE-2014-3966 (
  Cross-site scripting (XSS) vulnerability in Special:PasswordReset in
  MediaWiki before 1.19.16, 1.21.x before 1.21.10, and 1.22.x before 1.22.7,
  when wgRawHtml is enabled, allows remote attackers to inject arbitrary web
  script or HTML via an invalid username.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2014-07-06 20:33:12 UTC
no GLSA for Cross Site Scripting

Maintainer(s), please drop the vulnerable version.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2014-08-25 21:00:28 UTC
Maintainer(s), please drop the vulnerable version - we would love to close this bug.
Comment 8 Chris Reffett (RETIRED) gentoo-dev Security 2014-08-25 22:42:56 UTC
Maintainer timeout, cleanup done, closing noglsa.