From c663a484ed71e6e4cd5ed943569cdf512023fba7 Mon Sep 17 00:00:00 2001 From: remko Date: Fri, 21 Sep 2007 13:14:29 +0000 Subject: Document mediawiki -- cross site scripting vulnerability, our port versions had not been updated yet, 1.8.x is not vulnerable by default unless you are using the $wgEnableAPI = true; statement, in that case please set it to $wgEnableAPI = false; (where possible ofcourse, else upgrade to 1.8.5). --- security/vuxml/vuln.xml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) (limited to 'security') diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index c24a3d3bdcb0..560de0563150 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -34,6 +34,42 @@ Note: Please add new entries to the beginning of this file. --> + + mediawiki -- cross site scripting vulnerability + + + mediawiki + 1.10.2 + + + mediawiki19 + 1.9.4 + + + + +

The MediaWiki development team reports:

+
A possible HTML/XSS injection vector in the API + pretty-printing mode has been found and fixed.
+
The vulnerability may be worked around in an unfixed version + by simply disabling the API interface if it is not in use, by + adding this to LocalSettings.php:
+
$wgEnableAPI = false;
+
(This is the default setting in 1.8.x.)
+

+ + + + CVE-2007-4828 + http://lists.wikimedia.org/pipermail/mediawiki-announce/2007-September/000067.html + + + 2007-09-10 + 2007-09-21 + + + wordpress -- remote sql injection vulnerability -- cgit