Description

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.4, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .html located before a ? (question mark) in a query string, in conjunction with a modified URI path that has a %2E sequence in place of the . (dot) character. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1578.

Remediation

References

CVE-2011-1587

Related Vulnerabilities

WordPress Plugin Yoast SEO Cross-Site Scripting (22.5)

WordPress Plugin Loco Translate Local File Inclusion (2.2.1)

WordPress Plugin WP RSS Aggregator-News Feeds, Autoblogging, Youtube Video Feeds and More Cross-Site Scripting (4.19.1)

ZenCart Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2017-11675)

PHP Uncontrolled Resource Consumption Vulnerability (CVE-2017-9119)

Severity

Medium

Classification

CVE-2011-1587 CWE-707

Tags

Missing Update Known Vulnerabilities