Debian DSA-2022-1 : mediawiki - several vulnerabilities

medium Nessus Plugin ID 45337

Language:

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in mediawiki, a web-based wiki engine. The following issues have been identified :

- Insufficient input sanitization in the CSS validation code allows editors to display external images in wiki pages. This can be a privacy concern on public wikis as it allows attackers to gather IP addresses and other information by linking these images to a web server under their control.
- Insufficient permission checks have been found in thump.php which can lead to disclosure of image files that are restricted to certain users (e.g. with img_auth.php).

Solution

For the stable distribution (lenny), these problems have been fixed in version 1.12.0-2lenny4.

See Also

https://www.debian.org/security/2010/dsa-2022

Plugin Details

Severity: Medium

ID: 45337

File Name: debian_DSA-2022.nasl

Version: 1.11

Type: local

Agent: unix

Published: 3/25/2010

Updated: 1/4/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.7

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:mediawiki, cpe:/o:debian:debian_linux:5.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 3/23/2010

Reference Information

CVE: CVE-2010-1189, CVE-2010-1190

BID: 38617, 38621

DSA: 2022