ALT-PU-2014-2460-1

Обновление пакета mediawiki в ветке t7

Версия1.23.7-alt1

Задание#136639

Опубликовано2014-12-16

Макс. серьёзностьHIGH

Серьёзность:

Закрытые проблемы (3)

MEDIUM5.1

Cross-site request forgery (CSRF) vulnerability in the Special:ExpandedTemplates page in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgRawHTML is set to true, allows remote attackers to hijack the authentication of users with edit permissions for requests that cross-site scripting (XSS) attacks via the wpInput parameter, which is not properly handled in the preview.

Опубликовано: 2015-01-04Изменено: 2025-04-12

CVSS 2.0СРЕДНЯЯ 5.1

CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:P

Ссылки

HIGH7.5

The wfMangleFlashPolicy function in OutputHandler.php in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7 allows remote attackers to conduct PHP object injection attacks via a crafted string containing in a PHP format request, which causes the string length to change when converting the request to .

Опубликовано: 2015-01-04Изменено: 2025-04-12

CVSS 2.0ВЫСОКАЯ 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

Ссылки

LOW2.6

MediaWiki 1.21.x, 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgContentHandlerUseDB is enabled, allows remote attackers to conduct cross-site scripting (XSS) attacks by setting the content model for a revision to JS.

Опубликовано: 2015-01-04Изменено: 2025-04-12

CVSS 2.0НИЗКАЯ 2.6

CVSS:2.0/AV:N/AC:H/Au:N/C:N/I:P/A:N

Ссылки