CVE-2013-2031

Published: 18 November 2013

MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by a CDATA section containing valid UTF-7 encoded sequences in a SVG file, which is then incorrectly interpreted as UTF-8 by Chrome and Firefox.

Priority

Medium

Status

Package Release Status
mediawiki
Launchpad, Ubuntu, Debian
Upstream
Released (1.20.5, 1.19.6)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1:1.27.4-3)
Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [1:1.19.14+dfsg-1])
Patches:
Upstream: https://gerrit.wikimedia.org/r/61632
Upstream: https://gerrit.wikimedia.org/r/61640
Upstream: https://gerrit.wikimedia.org/r/61643