Advisories ยป MGASA-2014-0555

Updated mediawiki packages fix security vulnerabilities

Publication date: 26 Dec 2014
Type: security
Affected Mageia releases : 4


Updated mediawiki packages fix security vulnerabilities:

In MediaWiki before 1.23.8, thumb.php outputs wikitext message as raw HTML,
which could lead to cross-site scripting. Permission to edit MediaWiki
namespace is required to exploit this.

In MediaWiki before 1.23.8, a malicious site can bypass CORS restrictions in
$wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
part of its name.