Bug 1104222 (CVE-2014-3966) - CVE-2014-3966 mediawiki: XSS flaw due to improper parsing of Special:PasswordReset
Summary: CVE-2014-3966 mediawiki: XSS flaw due to improper parsing of Special:Password...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-3966
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1104223 1104224 1104225
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-06-03 14:33 UTC by Vincent Danen
Modified: 2019-09-29 13:18 UTC (History)
6 users (show)

Fixed In Version: mediawiki 1.22.7, mediawiki 1.21.10, mediawiki 1.19.16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-10 23:22:58 UTC
Embargoed:

Attachments (Terms of Use)

Description Vincent Danen 2014-06-03 14:33:59 UTC 
New versions of MediaWiki have been announced [1] to fix the following flaw [2]:

XSS vulnerability in MediaWiki before 1.22.7, due to usernames on
Special:PasswordReset being parsed as wikitext.  The username on
Special:PasswordReset can be supplied by anyone and will be parsed with
wgRawHtml enabled.  Since Special:PasswordReset is whitelisted by default on
private wikis, this could potentially lead to an XSS crossing a privilege
boundary.

This is corrected [3] in upstream versions 1.19.16, 1.21.10, and 1.22.7.  A CVE has been requested [4].

[1] http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-May/000151.html
[2] https://bugzilla.wikimedia.org/show_bug.cgi?id=65501
[3] https://gerrit.wikimedia.org/r/#/c/136131/
[4] http://openwall.com/lists/oss-security/2014/06/03/7
Comment 1 Vincent Danen 2014-06-03 14:34:55 UTC 
Created mediawiki tracking bugs for this issue:

Affects: fedora-all [bug 1104223]
Affects: epel-5 [bug 1104224]
Comment 2 Vincent Danen 2014-06-03 14:34:57 UTC 
Created mediawiki119 tracking bugs for this issue:

Affects: epel-all [bug 1104225]
Comment 3 Vincent Danen 2014-06-04 17:52:07 UTC 
Mediawiki 1.21.10 is in testing for both Fedora 19 and 20.
Comment 4 Fedora Update System 2014-08-22 19:17:43 UTC 
mediawiki119-1.19.18-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.