Re: CVE Request: Mediawiki security releases 1.24.1, 1.23.8, 1.22.15 and 1.19.23

[cve-assign () mitre org]

On Tue, 30 Dec 2014, Salvatore Bonaccorso wrote:

> Hi,
>
> On Sun, Dec 21, 2014 at 01:39:50PM +0100, Salvatore Bonaccorso wrote:
> > Hi
> >
> > New security releases for Mediawiki (1.24.1, 1.23.8, 1.22.15 and 1.19.23) were
> > announced:
> >
> > https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html
> >
> > > == Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 ==
> > > * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML,
> > >   which could lead to xss. Permission to edit MediaWiki namespace is required
> > >   to exploit this.
> > > * (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
> > >   $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
> > >   part of its name.
> >
> > Could CVE's be assigned for these two issues?

CVE-2014-9475 - bug T76686

CVE-2014-9476 - bug T77028

The same advisory also lists multiple issues in extensions:

CVE-2014-9477 - bug T77624 / Extension:Listings

CVE-2014-9478 - bug T73111 / Extension:ExpandTemplates

CVE-2014-9479 - bug T76195 / Extension:TemplateSandbox

CVE-2014-9480 - bug T69180 / Extension:Hovercards

CVE-2014-9481 - bug T73167 / Extension:Scribunto

CVE-2014-9487 [sic] - bug T71209 / Extension:TimedMediaHandler

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]