Mandriva Linux Security Advisory : mediawiki (MDVSA-2013:235)

medium Nessus Plugin ID 69918

Synopsis

The remote Mandriva Linux host is missing one or more security updates.

Description

Multiple vulnerabilities has been discovered and corrected in mediawiki :

Full path disclosure in MediaWiki before 1.20.7, when an invalid language is specified in ResourceLoader (CVE-2013-4301).

Several API modules in MediaWiki before 1.20.7 allowed anti-CSRF tokens to be accessed via JSONP (CVE-2013-4302).

An issue with the MediaWiki API in MediaWiki before 1.20.7 where an invalid property name could be used for XSS with older versions of Internet Explorer (CVE-2013-4303).

Several unspecified security issues were fixed with the 1.20.6 version. This replaces the MediaWiki 1.16.5 version, which has been EOL upstream for quite some time now, that was shipped with MBS 1.

MediaWiki removed the Math extension for the 1.18 release, but it is now available separately. It has been packaged in the mediawiki-math package.

The mediawiki-graphviz and mediawiki-ldapauthentication packages have also been updated to work with the new MediaWiki packages.

The updated packages provides a solution to these issues.

Solution

Update the affected packages.

See Also

http://advisories.mageia.org/MGASA-2013-0226.html

http://advisories.mageia.org/MGASA-2013-0276.html

Plugin Details

Severity: Medium

ID: 69918

File Name: mandriva_MDVSA-2013-235.nasl

Version: 1.9

Type: local

Published: 9/17/2013

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:mediawiki, p-cpe:/a:mandriva:linux:mediawiki-graphviz, p-cpe:/a:mandriva:linux:mediawiki-ldapauthentication, p-cpe:/a:mandriva:linux:mediawiki-math, p-cpe:/a:mandriva:linux:mediawiki-mysql, p-cpe:/a:mandriva:linux:mediawiki-pgsql, p-cpe:/a:mandriva:linux:mediawiki-sqlite, cpe:/o:mandriva:business_server:1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 9/16/2013

Reference Information

CVE: CVE-2013-4301, CVE-2013-4302, CVE-2013-4303

BID: 62194, 62215

MDVSA: 2013:235