Mandriva Linux Security Advisory : mediawiki (MDVSA-2014:083)

Medium Nessus Plugin ID 73934


The remote Mandriva Linux host is missing one or more security updates.


Updated mediawiki packages fix security vulnerabilities :

Login CSRF issue in MediaWiki before 1.22.5 in Special:ChangePassword, whereby a user can be logged into an attackers account without being aware of it, allowing the attacker to track the user's activity (CVE-2014-2665).

XSS vulnerability in MediaWiki before 1.22.6, where if the default sort key is set to a string containing a script, the script will be executed when the page is viewed using the info action.

MediaWiki has been updated to version 1.22.6, fixing this and other issues.


Update the affected packages.

See Also

Plugin Details

Severity: Medium

ID: 73934

File Name: mandriva_MDVSA-2014-083.nasl

Version: $Revision: 1.1 $

Type: local

Published: 2014/05/09

Modified: 2014/05/09

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 4

Temporal Score: 3.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:mediawiki, p-cpe:/a:mandriva:linux:mediawiki-mysql, p-cpe:/a:mandriva:linux:mediawiki-pgsql, p-cpe:/a:mandriva:linux:mediawiki-sqlite, cpe:/o:mandriva:business_server:1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2014/05/08

Reference Information

CVE: CVE-2014-2665

BID: 66600

MDVSA: 2014:083