oss-sec mailing list archives

Re: CVE Request: Mediawiki security releases 1.24.1, 1.23.8, 1.22.15 and 1.19.23

From: Salvatore Bonaccorso <carnil () debian org>
Date: Tue, 30 Dec 2014 05:25:38 +0100

Hi,

On Sun, Dec 21, 2014 at 01:39:50PM +0100, Salvatore Bonaccorso wrote:

Hi

New security releases for Mediawiki (1.24.1, 1.23.8, 1.22.15 and 1.19.23) were
announced:

https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html

== Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 ==
* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML,
  which could lead to xss. Permission to edit MediaWiki namespace is required
  to exploit this.
* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
  $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
  part of its name.


Could CVE's be assigned for these two issues?

References:

 * https://phabricator.wikimedia.org/T76686 (not accessible atm)
 * https://phabricator.wikimedia.org/T77028 (seem to be only affecting
   1.20 and above)
 * https://bugzilla.redhat.com/show_bug.cgi?id=1175828


Could CVEs be assigned to reference these mediawiki issues?

Regards,
Salvatore

Current thread:

CVE Request: Mediawiki security releases 1.24.1, 1.23.8, 1.22.15 and 1.19.23 Salvatore Bonaccorso (Dec 21)
- Re: CVE Request: Mediawiki security releases 1.24.1, 1.23.8, 1.22.15 and 1.19.23 Salvatore Bonaccorso (Dec 29)