Mandriva Linux Security Advisory : mediawiki (MDVSA-2015:006)

Medium Nessus Plugin ID 80425


The remote Mandriva Linux host is missing one or more security updates.


Updated mediawiki packages fix security vulnerabilities :

In MediaWiki before 1.23.8, thumb.php outputs wikitext message as raw HTML, which could lead to cross-site scripting. Permission to edit MediaWiki namespace is required to exploit this.

In MediaWiki before 1.23.8, a malicious site can bypass CORS restrictions in in API calls if it only included an allowed domain as part of its name.


Update the affected packages.

See Also

Plugin Details

Severity: Medium

ID: 80425

File Name: mandriva_MDVSA-2015-006.nasl

Version: $Revision: 1.3 $

Type: local

Published: 2015/01/09

Modified: 2015/01/19

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 6.4

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:mediawiki, p-cpe:/a:mandriva:linux:mediawiki-mysql, p-cpe:/a:mandriva:linux:mediawiki-pgsql, p-cpe:/a:mandriva:linux:mediawiki-sqlite, cpe:/o:mandriva:business_server:1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2015/01/08

Reference Information

BID: 71775, 71776

MDVSA: 2015:006