Description
MediaWiki is a free software open source wiki package written in PHP, originally for use on Wikipedia. SecuriTeam Secure Disclosure discovered a vulnerability in the way MediaWiki handles SVG files that may allow attackers to cause it to display arbitrary javascript code to users that are presented with an embedded SVG file. The vulnerability is triggered through the use of an encoded ENTITY that doesn't get properly filtered out for malicious content.
Remediation
The vulnerability has been fixed in MediaWiki version 1.24.2. It's recommended to upgrade to this version or the latest MediaWiki version.
References
Related Vulnerabilities
WordPress Plugin WP Advanced Comment Cross-Site Scripting (0.10)
WordPress Plugin BulletProof Security Cross-Site Scripting (.47)
WordPress Plugin bbPress Cross-Site Scripting (2.5.9)
WordPress Plugin WP Link To Us Multiple Cross-Site Scripting Vulnerabilities (2.0)
WordPress Plugin Realty by BestWebSoft Cross-Site Scripting (1.0.9)