Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0737 to the following vulnerability: Multiple cross-site scripting (XSS) vulnerabilities in the web-based installer (config/index.php) in MediaWiki 1.6 before 1.6.12, 1.12 before 1.12.4, and 1.13 before 1.13.4, when the installer is in active use, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. References: http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-February/000083.html http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_12_4/phase3/RELEASE-NOTES http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_13_4/phase3/RELEASE-NOTES http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_6_12/phase3/RELEASE-NOTES http://www.securityfocus.com/bid/33681 http://secunia.com/advisories/33881 http://www.vupen.com/english/advisories/2009/0368
This seems to have quite low impact, as both upstream and Fedora packages recommend removing installer script once site is configured.
mediawiki-1.14.0-45.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
mediawiki-1.14.0-45.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.