Summary
This host is running MediaWiki and is prone to Cross-site Scripting and Cross-Site Request Forgery vulnerabilities.
Impact
Successful exploitation will allow remote attackers to inject arbitrary web script or HTML and to hijack the authentication of users.
Impact Level: Application.
Solution
Upgrade to MediaWiki version 1.15.4 or 1.16 beta 3 or later For updates refer to http://dumps.wikimedia.org/mediawiki/
Insight
- A flaw is present while processing crafted Cascading Style Sheets (CSS) strings, which are processed as scripts
- An error is present in the 'Special:Userlogin' form, which allows remote attackers to hijack the authentication of users for requests that create accounts or reset passwords.
Affected
MediaWiki version 1.15 before 1.15.4 and 1.16 before 1.16 beta 3
References
Severity
Classification
-
CVE CVE-2010-1647, CVE-2010-1648 -
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Aardvark Topsites <= 4.2.2 Remote File Inclusion Vulnerability
- AjaXplorer 'doc_file' Parameter Local File Disclosure Vulnerability
- Adobe Presenter viewer.swf and loadflash.js XSS Vulnerability
- An Image Gallery Directory Traversal Vulnerability
- A4Desk Event Calendar 'eventid' Parameter SQL Injection Vulnerability