From ${URL} : The MediaWiki 1.22.6 and 1.21.9 releases fix a cross-site scripting issue. Viewing a malicious page with action=info could lead to arbitrary web script execution in the context of the victim's session. This issue does not appear to affect any version in EPEL. References: http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-April/000149.html https://bugzilla.wikimedia.org/show_bug.cgi?id=63251 https://github.com/wikimedia/mediawiki-core/commit/0b695ae09aada343ab59be4a3c9963995a1143b6 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
This bug is being addressed in part of stabilization of Bug 512354 with versions: www-apps/mediawiki-{1.19.16,1.21.10,1.22.7}
CVE-2014-2853 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2853): Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers to inject arbitrary web script or HTML via the sort key in an info action.
no GLSA for Cross Site Scripting Maintainer(s), please drop the vulnerable version.
Maintainer(s), please drop the vulnerable version - we would love to close this bug.
Maintainer timeout, cleanup done, closing noglsa.
