MediaWiki UnicodeConverter Extension XSS

2004-10-14T07:43:56
ID OSVDB:10781
Type osvdb
Reporter OSVDB
Modified 2004-10-14T07:43:56

Description

Vulnerability Description

MediaWiki contains a flaw that will allow an attacker to inject arbitrary script. The problem is that user supplied input passed to the UnicodeConverter extension is not verified properly and will allow an attacker to inject malicious HTMl and Javascript.

Solution Description

Upgrade to version 1.3.6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

MediaWiki contains a flaw that will allow an attacker to inject arbitrary script. The problem is that user supplied input passed to the UnicodeConverter extension is not verified properly and will allow an attacker to inject malicious HTMl and Javascript.

References:

Vendor URL: http://wikipedia.sourceforge.net/ Vendor Specific Advisory URL Security Tracker: 1011685 Secunia Advisory ID:12825 Related OSVDB ID: 10782 Related OSVDB ID: 10784 Related OSVDB ID: 10786 Related OSVDB ID: 10783 ISS X-Force ID: 17710 CVE-2004-2185 Bugtraq ID: 11416