oss-sec mailing list archives
Re: CVE request: mediawiki before 1.17.1
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 29 Nov 2011 14:23:30 -0700
On 11/29/2011 03:12 AM, Hanno Böck wrote:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-November/000104.html From announce mail: ------------- I would like to announce the release of MediaWiki 1.17.1. Two security issues were discovered. Alexandre Emsenhuber discovered an issue where page titles on private wikis could be exposed bypassing different page ids to index.php. In the case of the user not having correct permissions, they will now be redirected to Special:BadTitle. For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=32276
Please use CVE-2011-4360 for this issue.
The second issue was found by Tim Starling, who discovered that action=ajax requests were dispatched to the relevant function without any read permission checks being done. This could have led to data leakage on private wikis. For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=32616
Please use CVE-2011-4361 for this issue.
------------------------ Please assign two CVEs.
-- -Kurt Seifried / Red Hat Security Response Team
Current thread:
- CVE request: mediawiki before 1.17.1 Hanno Böck (Nov 29)
- Re: CVE request: mediawiki before 1.17.1 Kurt Seifried (Nov 29)