Bug 601881 (CVE-2010-1647, CVE-2010-1648)

Summary: CVE-2010-1647 CVE-2010-1648 mediawiki: multiple vulnerabilities fixed in 1.15.4/1.16b3
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: axel.thimm
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-05 18:08:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 605299    
Bug Blocks:    

Description Vincent Danen 2010-06-08 19:49:22 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-1647 to
the following vulnerability:

Name: CVE-2010-1647
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1647
Assigned: 20100429
Reference: MLIST:[MediaWiki-announce] 20100528 MediaWiki security update: 1.15.4 and 1.16.0beta3
Reference: URL: http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
Reference: CONFIRM: https://bugzilla.wikimedia.org/show_bug.cgi?id=23687

Cross-site scripting (XSS) vulnerability in MediaWiki 1.15 before
1.15.4 and 1.16 before 1.16 beta 3 allows remote attackers to inject
arbitrary web script or HTML via crafted Cascading Style Sheets (CSS)
strings that are processed as script by Internet Explorer.


Common Vulnerabilities and Exposures assigned an identifier CVE-2010-1648 to
the following vulnerability:

Name: CVE-2010-1648
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1648
Assigned: 20100429
Reference: MLIST:[MediaWiki-announce] 20100528 MediaWiki security update: 1.15.4 and 1.16.0beta3
Reference: URL: http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
Reference: CONFIRM: https://bugzilla.wikimedia.org/show_bug.cgi?id=23371

Cross-site request forgery (CSRF) vulnerability in the login interface
in MediaWiki 1.15 before 1.15.4 and 1.16 before 1.16 beta 3 allows
remote attackers to hijack the authentication of users for requests
that (1) create accounts or (2) reset passwords, related to the
Special:Userlogin form.
Comment 1 Vincent Danen 2010-06-17 15:17:00 UTC 
Created mediawiki tracking bugs for this issue

Affects: fedora-all [bug 605299]
Comment 2 Fedora Update System 2010-07-06 17:23:48 UTC 
mediawiki-1.15.4-54.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2010-07-06 17:34:58 UTC 
mediawiki-1.15.4-54.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.