A stored cross-site scripting (XSS) flaw was found in the way MediaWiki, a wiki engine, sanitized comments when a File::link tag to an non-existent image was rendered. A remote attacker could provide a specially-crafted URL that, when visited would lead to arbitrary HTML or web script injection. References: [1] http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 Upstream bug: [2] https://bugzilla.wikimedia.org/show_bug.cgi?id=39700 Upstream patch against the 1.19 version: [3] https://bugzilla.wikimedia.org/show_bug.cgi?id=39700#c11 Upstream patch against the 1.18 version: [4] https://bugzilla.wikimedia.org/show_bug.cgi?id=39700#c12
This issue affects the versions of the mediawiki package, as shipped with Fedora release of 16 and 17. Please schedule an update. -- This issue did NOT affect the version of the mediawiki package, as shipped with Fedora EPEL 5.
CVE request: http://www.openwall.com/lists/oss-security/2012/08/31/6
Created mediawiki tracking bugs for this issue Affects: fedora-all [bug 853446]
The CVE identifier of CVE-2012-4377 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2012/08/31/10