oss-sec mailing list archives

MediaWiki security release - 1.23.7

From: Chris Steipp <csteipp () wikimedia org>
Date: Wed, 3 Dec 2014 12:57:58 -0800

Hi, we fixed a few security bugs in last week's MediaWiki release [1].
Two of them I think should have CVE's:

* bug 71111 / T73111 - A missing csrf check could allow reflected xss
on wikis that allow raw html
(https://phabricator.wikimedia.org/T73111)

* bug 71478 / T73478 - MediaWiki's <cross-domain-policy> mangling
could allow an article editor to inject code into api consumers that
blindly unserialize php representations of the page from the api
(https://phabricator.wikimedia.org/T73478)

Could those be assigned?


[1] - https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-November/000170.html

Current thread:

MediaWiki security release - 1.23.7 Chris Steipp (Dec 03)
- Re: MediaWiki security release - 1.23.7 cve-assign (Dec 04)