oss-sec mailing list archives
Re: CVE Request: Mediawiki security releases 1.24.1, 1.23.8, 1.22.15 and 1.19.23
From: Salvatore Bonaccorso <carnil () debian org>
Date: Tue, 30 Dec 2014 05:25:38 +0100
Hi, On Sun, Dec 21, 2014 at 01:39:50PM +0100, Salvatore Bonaccorso wrote:
Hi New security releases for Mediawiki (1.24.1, 1.23.8, 1.22.15 and 1.19.23) were announced: https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html== Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 == * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this. * (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name.Could CVE's be assigned for these two issues? References: * https://phabricator.wikimedia.org/T76686 (not accessible atm) * https://phabricator.wikimedia.org/T77028 (seem to be only affecting 1.20 and above) * https://bugzilla.redhat.com/show_bug.cgi?id=1175828
Could CVEs be assigned to reference these mediawiki issues? Regards, Salvatore
Current thread:
- CVE Request: Mediawiki security releases 1.24.1, 1.23.8, 1.22.15 and 1.19.23 Salvatore Bonaccorso (Dec 21)
- Re: CVE Request: Mediawiki security releases 1.24.1, 1.23.8, 1.22.15 and 1.19.23 Salvatore Bonaccorso (Dec 29)