[Pkg-mediawiki-devel] Bug#585918: mediawiki: XSS vulnerabilities, CVEs
Jonathan Wiltshire
debian at jwiltshire.org.uk
Mon Jun 14 21:04:29 UTC 2010
Package: mediawiki
Version: 1:1.15.3-1
Severity: normal
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2010-1647:
Cross-site scripting (XSS) vulnerability in MediaWiki 1.15 before 1.15.4 and
1.16 before 1.16 beta 3 allows remote attackers to inject arbitrary web script
or HTML via crafted Cascading Style Sheets (CSS) strings that are processed as
script by Internet Explorer.
CVE-2010-1648:
Cross-site request forgery (CSRF) vulnerability in the login interface in
MediaWiki 1.15 before 1.15.4 and 1.16 before 1.16 beta 3 allows remote
attackers to hijack the authentication of users for requests that (1) create
accounts or (2) reset passwords, related to the Special:Userlogin form.
http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
- -- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkwWmVkACgkQymvqPtuAC1LsxACfVYbA2BRnuc6TaSBkhEHQUgrw
uvwAn3K8OJXhkB9hQtAUqPipjnnDEJFG
=tiJD
-----END PGP SIGNATURE-----
More information about the Pkg-mediawiki-devel
mailing list