SUSE CVE-2015-2931

Incomplete blacklist vulnerability in includes/upload/UploadBase.php in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via an application/xml MIME type for a nested SVG with a data: URI...

UBUNTU-CVE-2015-2931

Incomplete blacklist vulnerability in includes/upload/UploadBase.php in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via an application/xml MIME type for a nested SVG with a data: URI...

UBUNTU-CVE-2014-2242

includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 does not prevent use of invalid namespaces in SVG files, which allows remote attackers to conduct cross-site scripting XSS attacks via an SVG upload, as demonstrated by use of a W...

CVE-2014-2242

The CVE affects MediaWiki versions using UploadBase.php (before 1.19.12; 1.20.x before 1.21.6; 1.21.x before 1.21.6; 1.22.x before 1.22.3). It stems from not blocking invalid SVG namespaces, allowing XSS via SVG uploads (e.g., W3C XHTML namespace with an IFRAME). Exploitation is via SVG upload; i...