6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.083 Low
EPSS
Percentile
94.2%
MediaWiki user Michael M reported that the fix for CVE-2013-4568 allowed insertion of escaped CSS values which could pass the CSS validation checks, resulting in XSS (CVE-2013-6451). Chris from RationalWiki reported that SVG files could be uploaded that include external stylesheets, which could lead to XSS when an XSL was used to include JavaScript (CVE-2013-6452). During internal review, it was discovered that MediaWikiβs SVG sanitization could be bypassed when the XML was considered invalid (CVE-2013-6453). During internal review, it was discovered that MediaWiki displayed some information about deleted pages in the log API, enhanced RecentChanges, and user watchlists (CVE-2013-6472). Netanel Rubin from Check Point discovered a remote code execution vulnerability in MediaWikiβs thumbnail generation for DjVu files. Internal review also discovered similar logic in the PdfHandler extension, which could be exploited in a similar way (CVE-2014-1610). MediaWiki has been updated to version 1.22.2, which fixes these issues, as well as several others. Also, the mediawiki-ldapauthentication and mediawiki-math extensions have been updated to newer versions that are compatible with MediaWiki 1.22. Additionally, the mediawiki-graphviz extension has been obsoleted, due to the fact that it is unmaintained upstream and is vulnerable to cross-site scripting attacks. Note: if you were using the βinstancesβ feature in these packages to support multiple wiki instances, this feature has now been removed. You will need to maintain separate wiki instances manually.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 3 | noarch | mediawiki | <Β 1.22.2-1.1 | mediawiki-1.22.2-1.1.mga3 |
Mageia | 3 | noarch | mediawiki-ldapauthentication | <Β 2.0f-1.1 | mediawiki-ldapauthentication-2.0f-1.1.mga3 |
Mageia | 3 | noarch | mediawiki-math | <Β 1.1-1.1 | mediawiki-math-1.1-1.1.mga3 |
Mageia | 4 | noarch | mediawiki | <Β 1.22.2-1.1 | mediawiki-1.22.2-1.1.mga4 |
Mageia | 4 | noarch | mediawiki-ldapauthentication | <Β 2.0f-1.1 | mediawiki-ldapauthentication-2.0f-1.1.mga4 |
Mageia | 4 | noarch | mediawiki-math | <Β 1.1-1.1 | mediawiki-math-1.1-1.1.mga4 |
lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html
lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000140.html
www.mediawiki.org/wiki/Extension:GraphViz
bugs.mageia.org/show_bug.cgi?id=12337
lists.fedoraproject.org/pipermail/package-announce/2014-February/127948.html
lists.fedoraproject.org/pipermail/package-announce/2014-January/127027.html
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.083 Low
EPSS
Percentile
94.2%