Description
MediaWiki is a free software open source wiki package written in PHP, originally for use on Wikipedia. SecuriTeam Secure Disclosure discovered a vulnerability in the way MediaWiki handles SVG files that may allow attackers to cause it to display arbitrary javascript code to users that are presented with an embedded SVG file. The vulnerability is triggered through the use of an encoded ENTITY that doesn't get properly filtered out for malicious content.
Remediation
The vulnerability has been fixed in MediaWiki version 1.24.2. It's recommended to upgrade to this version or the latest MediaWiki version.
References
Related Vulnerabilities
WordPress Plugin Testimonial Cross-Site Scripting (1.5.9)
WordPress Plugin Collapse-O-Matic Cross-Site Scripting (1.6.8)
WordPress Plugin Swipe Checkout for Jigoshop Cross-Site Scripting (3.1.0)
WordPress Plugin YouTube Advanced by Embed Plus Cross-Site Scripting (5.3)
WordPress Plugin Xorbin Digital Flash Clock Cross-Site Scripting (1.0)