Description
MediaWiki is a free software open source wiki package written in PHP, originally for use on Wikipedia. SecuriTeam Secure Disclosure discovered a vulnerability in the way MediaWiki handles SVG files that may allow attackers to cause it to display arbitrary javascript code to users that are presented with an embedded SVG file. The vulnerability is triggered through the use of an encoded ENTITY that doesn't get properly filtered out for malicious content.
Remediation
The vulnerability has been fixed in MediaWiki version 1.24.2. It's recommended to upgrade to this version or the latest MediaWiki version.
References
Related Vulnerabilities
WordPress Plugin youForms for WordPress-Creating Forms for CopeCart Cross-Site Scripting (1.0.5)
WordPress Plugin WP Database Backup Cross-Site Scripting (5.1.1)
Kayako Fusion v4.51.1891 - multiple web vulnerabilities
WordPress Plugin Calendar_plugin Cross-Site Scripting (1.0)
WordPress Plugin WordPress Slider Block Gutenslider Cross-Site Scripting (5.1.5)