[ MDVSA-2015:200 ] mediawiki

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:200
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : mediawiki
 Date    : April 10, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated mediawiki packages fix security vulnerabilities:
 
 In MediaWiki before 1.23.9, one could circumvent the SVG MIME blacklist
 for embedded resources. This allowed an attacker to embed JavaScript
 in the SVG (CVE-2015-2931).
 
 In MediaWiki before 1.23.9, the SVG filter to prevent injecting
 JavaScript using animate elements was incorrect (CVE-2015-2932).
 
 In MediaWiki before 1.23.9, a stored XSS vulnerability exists due
 to the way attributes were expanded in MediaWiki's Html class, in
 combination with LanguageCo

Leave a Reply