Bugzilla – Bug 131233
VUL-0: CVE-2005-3167: mediawiki XSS
Last modified: 2021-11-22 10:25:39 UTC
Looks like our current mediawiki on 10.0 is affected by this (I didn't check older distros, but they might be affected as well): http://sourceforge.net/project/shownotes.php?release_id=361505 == MediaWiki 1.4.11 == (released 2005-10-05) MediaWiki 1.4.11 is a security maintenance release. Unsafe handling of CSS by Microsoft Internet Explorer could be exploited to produce cross-site scripting attacks by JavaScript injection to clients running that browser. This release blacklists several additional variants from use in HTML inline style attributes. All publicly accessible wikis are recommended to upgrade to reduce the risk to visitors using Microsoft web browsers. Note: the MediaWiki 1.4.x series is not compatible with PHP 5.0.5 or higher. Upgrade to the 1.5.0 release if you require this version of PHP 5.
Fixes for released products submitted. I just took it from upstream, I cannot test it because I do not have IE. Fix for stable will come soon with upgrade to 1.5.2 but I must consult it with former maintainer.
CVE-2005-3167 Maintenance-Tracker-2753
updates released
CVE-2005-3167: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)