MediaWiki SVG cross-site scripting vulnerability

Description

MediaWiki is a free software open source wiki package written in PHP, originally for use on Wikipedia. SecuriTeam Secure Disclosure discovered a vulnerability in the way MediaWiki handles SVG files that may allow attackers to cause it to display arbitrary javascript code to users that are presented with an embedded SVG file. The vulnerability is triggered through the use of an encoded ENTITY that doesn't get properly filtered out for malicious content.

Remediation

The vulnerability has been fixed in MediaWiki version 1.24.2. It's recommended to upgrade to this version or the latest MediaWiki version.

References