Mandriva Linux Security Advisory : mediawiki (MDVSA-2014:083)

medium Nessus Plugin ID 73934

Synopsis

The remote Mandriva Linux host is missing one or more security updates.

Description

Updated mediawiki packages fix security vulnerabilities :

Login CSRF issue in MediaWiki before 1.22.5 in Special:ChangePassword, whereby a user can be logged into an attackers account without being aware of it, allowing the attacker to track the user's activity (CVE-2014-2665).

XSS vulnerability in MediaWiki before 1.22.6, where if the default sort key is set to a string containing a script, the script will be executed when the page is viewed using the info action.

MediaWiki has been updated to version 1.22.6, fixing this and other issues.

Solution

Update the affected packages.

See Also

http://advisories.mageia.org/MGASA-2014-0157.html

http://advisories.mageia.org/MGASA-2014-0197.html

Plugin Details

Severity: Medium

ID: 73934

File Name: mandriva_MDVSA-2014-083.nasl

Version: 1.5

Type: local

Published: 5/9/2014

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.7

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:mediawiki, p-cpe:/a:mandriva:linux:mediawiki-mysql, p-cpe:/a:mandriva:linux:mediawiki-pgsql, p-cpe:/a:mandriva:linux:mediawiki-sqlite, cpe:/o:mandriva:business_server:1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 5/8/2014

Reference Information

CVE: CVE-2014-2665

BID: 66600

MDVSA: 2014:083