mediawiki

2014-06-23

Page content

Author: kikadf
Vulnerable: 1.18.1-1
Unaffected: 1.19.16-1arcturus1

Omer Iqbal discovered that Mediawiki, a wiki engine, parses invalid usernames on Special:PasswordReset as wikitext when $wgRawHtml is enabled. On such wikis this allows an unauthenticated attacker to insert malicious JavaScript, a cross site scripting attack.

CVEs:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3966