[Pkg-mediawiki-devel] Bug#799096: mediawiki: CVE-2015-6727 CVE-2015-6728 CVE-2015-6729 CVE-2015-6730

Thorsten Glaser t.glaser at tarent.de
Wed Sep 16 13:17:09 UTC 2015

On Tue, 15 Sep 2015, Salvatore Bonaccorso wrote:

> CVE-2015-6730[3]:
> | Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki
> | before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows
> | remote attackers to inject arbitrary web script or HTML via the f
> | parameter, which is not properly handled in an error page, related to
> | "ForeignAPI images."

Judging from https://phabricator.wikimedia.org/T97391#1242481
and the last messages in the bugreport, and the lack of mention
of this in the git log for the various supported branches, I
believe that this particular CVE is still unfixed upstream.

Found diffs for the other three, though…

tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

More information about the Pkg-mediawiki-devel mailing list