Bug 105841 (CVE-2005-2396)

Summary: VUL-0: CVE-2005-2396: mediawiki problem in 1.4.6 ?
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Marcus Meissner <meissner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: nadvornik, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-2396: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2005-08-19 13:40:14 UTC 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2396 
 
has 
 
Cross-site scripting (XSS) vulnerability in MediaWiki 1.4.6 and earlier allows 
remote attackers to inject arbitrary web script or HTML via a parameter to the 
page move template. 
 
Did we fix this already?
Comment 1 Sebastian Krahmer 2005-08-23 11:24:25 UTC 
Petr?
Comment 2 Petr Ostadal 2005-08-23 15:00:11 UTC 
Anicka made last security fix for mediaviki (now she has vacation), but in
changelog of php (on SL9.3) is written that she backported security bugs from
1.4.5 and 1.4.6 . Tha means we have to fixed this bug.
Comment 3 Vladimir Nadvornik 2005-08-24 13:21:46 UTC 
1.4.7 is affected too. It is fixed in 1.4.8. I will submit fixed packages.
Comment 4 Vladimir Nadvornik 2005-08-24 14:52:34 UTC 
Fixed packages for 9.3 and STABLE are submitted.
Comment 5 Marcus Meissner 2005-08-25 13:15:55 UTC 
SWAMP 2130 
 
patchinfos submitted
Comment 6 Marcus Meissner 2005-08-29 13:32:57 UTC 
Vladimir, can you please unbreak the build? 
 
mediawiki: "/srv/www/htdocs/mediawiki/includes/ChangesList.php.orig" is not 
allo 
wed anymore in SuSE Linux. 
mediawiki: "/srv/www/htdocs/mediawiki/includes/Parser.php.orig" is not allowed 
a 
nymore in SuSE Linux.
Comment 7 Vladimir Nadvornik 2005-08-29 15:58:51 UTC 
sorry, fixed package is submitted.
Comment 8 Marcus Meissner 2005-09-01 08:53:54 UTC 
released this one.
Comment 9 Thomas Biege 2009-10-13 20:43:54 UTC 
CVE-2005-2396: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)