oss-sec mailing list archives
Re: CVE Request: Mediawiki security releases 1.24.1, 1.23.8, 1.22.15 and 1.19.23
From: cve-assign () mitre org
Date: Sat, 3 Jan 2015 17:37:48 -0500 (EST)
On Tue, 30 Dec 2014, Salvatore Bonaccorso wrote:
Hi, On Sun, Dec 21, 2014 at 01:39:50PM +0100, Salvatore Bonaccorso wrote:Hi New security releases for Mediawiki (1.24.1, 1.23.8, 1.22.15 and 1.19.23) were announced: https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html== Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 == * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this. * (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name.Could CVE's be assigned for these two issues?
CVE-2014-9475 - bug T76686 CVE-2014-9476 - bug T77028 The same advisory also lists multiple issues in extensions: CVE-2014-9477 - bug T77624 / Extension:Listings CVE-2014-9478 - bug T73111 / Extension:ExpandTemplates CVE-2014-9479 - bug T76195 / Extension:TemplateSandbox CVE-2014-9480 - bug T69180 / Extension:Hovercards CVE-2014-9481 - bug T73167 / Extension:Scribunto CVE-2014-9487 [sic] - bug T71209 / Extension:TimedMediaHandler --- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Current thread:
- Re: CVE Request: Mediawiki security releases 1.24.1, 1.23.8, 1.22.15 and 1.19.23 cve-assign (Jan 03)