Mandriva Linux Security Advisory : mediawiki (MDVSA-2014:083)
Medium Nessus Plugin ID 73934
SynopsisThe remote Mandriva Linux host is missing one or more security updates.
DescriptionUpdated mediawiki packages fix security vulnerabilities :
Login CSRF issue in MediaWiki before 1.22.5 in Special:ChangePassword, whereby a user can be logged into an attackers account without being aware of it, allowing the attacker to track the user's activity (CVE-2014-2665).
XSS vulnerability in MediaWiki before 1.22.6, where if the default sort key is set to a string containing a script, the script will be executed when the page is viewed using the info action.
MediaWiki has been updated to version 1.22.6, fixing this and other issues.
SolutionUpdate the affected packages.