CVE-2013-4303
Mandriva Linux Security Advisory 2013-235
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php.
El archivo includes/libs/IEUrlExtension.php en la API MediaWiki en MediaWiki versiones 1.19.x anteriores a 1.19.8, versiones 1.20.x anteriores a 1.20.7 y versiones 1.21.x anteriores a 1.21.2 no detecta apropiadamente las extensiones cuando existe un número par de caracteres "." (punto) en una cadena, lo que permite a atacantes remotos realizar ataques de tipo cross-site scripting (XSS) por medio del parámetro siprop en una acción query en el archivo wiki/api.php.
Multiple vulnerabilities has been discovered and corrected in mediawiki. Full path disclosure in MediaWiki before 1.20.7, when an invalid language is specified in ResourceLoader. Several API modules in MediaWiki before 1.20.7 allowed anti-CSRF tokens to be accessed via JSONP. An issue with the MediaWiki API in MediaWiki before 1.20.7 where an invalid property name could be used for XSS with older versions of Internet Explorer. Several unspecified security issues were fixed with the 1.20.6 version. This replaces the MediaWiki 1.16.5 version, which has been EOL upstream for quite some time now, that was shipped with MBS 1. MediaWiki removed the Math extension for the 1.18 release, but it is now available separately. It has been packaged in the mediawiki-math package. The mediawiki-graphviz and mediawiki-ldapauthentication packages have also been updated to work with the new MediaWiki packages. The updated packages provides a solution to these issues.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2013-06-12 CVE Reserved
- 2013-09-16 CVE Published
- 2024-08-06 CVE Updated
- 2024-08-06 First Exploit
- 2025-07-14 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| http://seclists.org/oss-sec/2013/q3/553 | Mailing List |
|
| http://www.securityfocus.com/bid/62194 | Third Party Advisory | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/86897 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.wikimedia.org/show_bug.cgi?id=52746 | 2024-08-06 |
| URL | Date | SRC |
|---|---|---|
| http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html | 2019-12-19 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Mediawiki Search vendor "Mediawiki" | Mediawiki Search vendor "Mediawiki" for product "Mediawiki" | >= 1.19.0 < 1.19.8 Search vendor "Mediawiki" for product "Mediawiki" and version " >= 1.19.0 < 1.19.8" | - |
Affected
| ||||||
| Mediawiki Search vendor "Mediawiki" | Mediawiki Search vendor "Mediawiki" for product "Mediawiki" | >= 1.20.0 < 1.20.7 Search vendor "Mediawiki" for product "Mediawiki" and version " >= 1.20.0 < 1.20.7" | - |
Affected
| ||||||
| Mediawiki Search vendor "Mediawiki" | Mediawiki Search vendor "Mediawiki" for product "Mediawiki" | >= 1.21.0 < 1.21.2 Search vendor "Mediawiki" for product "Mediawiki" and version " >= 1.21.0 < 1.21.2" | - |
Affected
| ||||||