Red Hat Bugzilla – Bug 287881
CVE-2007-4828 mediawiki cross-site scripting vulnerability
Last modified: 2007-11-30 17:12:15 EST
Secunia published security advisory for mediawiki:
A vulnerability has been reported in MediaWiki, which can be exploited by
malicious people to conduct cross-site scripting attacks.
Input passed to unspecified parameters in the API pretty-printing mode is not
properly sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in context of
an affected site.
Successful exploitation requires that the API interface is enabled.
The vulnerability is reported in the following versions:
* 1.11 <= 1.11.0rc1
* 1.10 <= 1.10.1
* 1.9 <= 1.9.3
* 1.8 <= 1.8.4 (if $wgEnableAPI has been switched on)
Solution: Update to version 1.11.0, 1.10.2, 1.9.4, or 1.8.5.
Versions currently in Fedora falls into "affected" range, even though there is
following note in changelog for release 1.9.3-34:
- Update to 1.9.4.
It only seems to be typo. If there's any other reason why Fedora packages are
not affected, feel free to close this bug with appropriate comment.
Builds done for all active Fedora releases, waiting for them to be pushed.
mediawiki-1.9.4-35.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.