Description
MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 does not properly handle when the Zend interpreter xml_parse function does not expand entities, which allows remote attackers to inject arbitrary web script or HTML via a crafted SVG file.
Remediation
References
Related Vulnerabilities
LimeSurvey Improper Certificate Validation Vulnerability (CVE-2019-16179)
Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2011-4589)
IBM RTC Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-1734)
WordPress Plugin Secure HTML5 Video Player Cross-Site Scripting (3.14)