Mandriva Linux Security Advisory : mediawiki (MDVSA-2013:235)

This script is Copyright (C) 2013 Tenable Network Security, Inc.


Synopsis :

The remote Mandriva Linux host is missing one or more security
updates.

Description :

Multiple vulnerabilities has been discovered and corrected in
mediawiki :

Full path disclosure in MediaWiki before 1.20.7, when an invalid
language is specified in ResourceLoader (CVE-2013-4301).

Several API modules in MediaWiki before 1.20.7 allowed anti-CSRF
tokens to be accessed via JSONP (CVE-2013-4302).

An issue with the MediaWiki API in MediaWiki before 1.20.7 where an
invalid property name could be used for XSS with older versions of
Internet Explorer (CVE-2013-4303).

Several unspecified security issues were fixed with the 1.20.6
version. This replaces the MediaWiki 1.16.5 version, which has been
EOL upstream for quite some time now, that was shipped with MBS 1.

MediaWiki removed the Math extension for the 1.18 release, but it is
now available separately. It has been packaged in the mediawiki-math
package.

The mediawiki-graphviz and mediawiki-ldapauthentication packages have
also been updated to work with the new MediaWiki packages.

The updated packages provides a solution to these issues.

See also :

http://advisories.mageia.org/MGASA-2013-0226.html
http://advisories.mageia.org/MGASA-2013-0276.html

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Mandriva Local Security Checks

Nessus Plugin ID: 69918 ()

Bugtraq ID: 62194
62215

CVE ID: CVE-2013-4301
CVE-2013-4302
CVE-2013-4303

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now