MediaWiki 'profileinfo.php' Cross Site Scripting Vulnerability Network Vulnerability

Summary

This host is running MediaWiki and is prone to cross site scripting vulnerability.

Impact

Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Impact Level: Application

Solution

Upgrade to MediaWiki versions 1.16.0 or 1.15.5. For updates refer to http://www.mediawiki.org/wiki/Download

Insight

The flaw is caused by improper validation of user-supplied input passed via the 'filter' parameter to profileinfo.php, which allows attackers to execute arbitrary HTML and script code on the web server.

Affected

MediaWiki versions before 1.15.5

References

http://svn.wikimedia.org/viewvc/mediawiki?view=revision&revision=69952
http://svn.wikimedia.org/viewvc/mediawiki?view=revision&revision=69984
https://bugzilla.redhat.com/show_bug.cgi?id=620225
https://bugzilla.redhat.com/show_bug.cgi?id=620226

Updated on 2015-03-25

Severity

Classification

CVE CVE-2010-2788
CVSS Base Score: 2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Sambar sendmail /session/sendmail
PhreeBooks Multiple Remote Vulnerabilities
Kusaba X Multiple Cross Site Scripting Vulnerabilities
arachni (NASL wrapper)
ownCloud Multiple Cross Site Scripting Vulnerabilities -03 May14

Take action and discover your vulnerabilities