oss-sec mailing list archives
MediaWiki security release - 1.23.7
From: Chris Steipp <csteipp () wikimedia org>
Date: Wed, 3 Dec 2014 12:57:58 -0800
Hi, we fixed a few security bugs in last week's MediaWiki release [1]. Two of them I think should have CVE's: * bug 71111 / T73111 - A missing csrf check could allow reflected xss on wikis that allow raw html (https://phabricator.wikimedia.org/T73111) * bug 71478 / T73478 - MediaWiki's <cross-domain-policy> mangling could allow an article editor to inject code into api consumers that blindly unserialize php representations of the page from the api (https://phabricator.wikimedia.org/T73478) Could those be assigned? [1] - https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-November/000170.html
Current thread:
- MediaWiki security release - 1.23.7 Chris Steipp (Dec 03)
- Re: MediaWiki security release - 1.23.7 cve-assign (Dec 04)