CVE-2013-4303
N/A
N/A
Summary
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Wikimedia Foundation | MediaWiki | 1.19.x before 1.19.8 | affected |
| Wikimedia Foundation | MediaWiki | 1.20.x before 1.20.7 | affected |
| Wikimedia Foundation | MediaWiki | and 1.21.x before 1.21.2 | affected |
Weaknesses
- Cross-Site Scripting
ADP Enrichment
CVE Program Container
Additional References
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html
- http://seclists.org/oss-sec/2013/q3/553
- https://bugzilla.wikimedia.org/show_bug.cgi?id=52746
- http://www.securityfocus.com/bid/62194
- https://exchange.xforce.ibmcloud.com/vulnerabilities/86897
References
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html
- http://seclists.org/oss-sec/2013/q3/553
- https://bugzilla.wikimedia.org/show_bug.cgi?id=52746
- http://www.securityfocus.com/bid/62194
- https://exchange.xforce.ibmcloud.com/vulnerabilities/86897
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.