Description
MediaWiki is a free software open source wiki package written in PHP, originally for use on Wikipedia. SecuriTeam Secure Disclosure discovered a vulnerability in the way MediaWiki handles SVG files that may allow attackers to cause it to display arbitrary javascript code to users that are presented with an embedded SVG file. The vulnerability is triggered through the use of an encoded ENTITY that doesn't get properly filtered out for malicious content.
Remediation
The vulnerability has been fixed in MediaWiki version 1.24.2. It's recommended to upgrade to this version or the latest MediaWiki version.
References
Related Vulnerabilities
WordPress Plugin Stop User Enumeration Cross-Site Scripting (1.3.7)
WordPress Plugin WP-CopyProtect [Protect your blog posts] Cross-Site Scripting (3.0.0)
WordPress Plugin WonderPlugin Audio Player Multiple Vulnerabilities (2.0)
WordPress Plugin Login with Azure (Azure SSO) Cross-Site Scripting (1.4.4)
WordPress Plugin WP Photo Album Plus Cross-Site Scripting (5.4.17)