MediaWiki Cross-site Scripting (XSS) And Cross-site Request Forgery (CSRF) Vulnerabilities Network Vulnerability

Summary

This host is running MediaWiki and is prone to Cross-site Scripting and Cross-Site Request Forgery vulnerabilities.

Impact

Successful exploitation will allow remote attackers to inject arbitrary web script or HTML and to hijack the authentication of users. Impact Level: Application.

Solution

Upgrade to MediaWiki version 1.15.4 or 1.16 beta 3 or later For updates refer to http://dumps.wikimedia.org/mediawiki/

Insight

- A flaw is present while processing crafted Cascading Style Sheets (CSS) strings, which are processed as scripts - An error is present in the 'Special:Userlogin' form, which allows remote attackers to hijack the authentication of users for requests that create accounts or reset passwords.

Affected

MediaWiki version 1.15 before 1.15.4 and 1.16 before 1.16 beta 3

References

http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
https://bugzilla.wikimedia.org/show_bug.cgi?id=23371
https://bugzilla.wikimedia.org/show_bug.cgi?id=23687

Updated on 2015-03-25

Severity

Classification

CVE CVE-2010-1647, CVE-2010-1648

CVSS	Base Score: 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P

Related Vulnerabilities

AMSI 'file' Parameter Directory Traversal Vulnerability
Apache Web Server Configuration File Environment Variable Local Buffer Overflow Vulnerability
Apache Tomcat NIO Connector Denial of Service Vulnerability
Apache Continuum Cross Site Scripting Vulnerability
Andromeda Streaming MP3 Server Cross Site Scripting Vulnerability

MediaWiki Cross-site Scripting (XSS) and Cross-site Request Forgery (CSRF) Vulnerabilities

Take action and discover your vulnerabilities