Nixpkgs security tracker

Untriaged

Permalink CVE-2013-4303

created 2 months ago Activity log

Created suggestion 2 months ago

includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, …

includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php.

References

http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.h… x_transferredx_refsource_MISC
http://seclists.org/oss-sec/2013/q3/553 x_transferredx_refsource_MISC
https://bugzilla.wikimedia.org/show_bug.cgi?id=52746 x_transferredx_refsource_MISC
http://www.securityfocus.com/bid/62194 x_transferredx_refsource_MISC
https://exchange.xforce.ibmcloud.com/vulnerabilities/86897 x_transferredx_refsource_MISC

Affected products

MediaWiki

==and 1.21.x before 1.21.2
==1.19.x before 1.19.8
==1.20.x before 1.20.7

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.45.1
- nixpkgs-unstable 1.45.1
- nixos-unstable-small 1.45.1
nixos-25.11 1.44.3
- nixos-25.11-small 1.44.3
- nixpkgs-25.11-darwin 1.44.3

Package maintainers

@astro Astro <astro@spaceboyz.net>
@gshipunov Grigory Shipunov <blame@oxapentane.com>
@tanneberger Tassilo Tanneberger <revol-xut@protonmail.com>
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers