On Tue, 15 Sep 2015, Salvatore Bonaccorso wrote: > CVE-2015-6729[2]: > | Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki > | before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows > | remote attackers to inject arbitrary web script or HTML via the rel404 > | parameter, which is not properly handled in an error page.
1.19 is not vulnerable against this as it never echos the passed string. This was added e.g. in commit a04d9cb7487773e102285de13b7092a2bc9b6821 first released in 1.21.0 according to 'git tag --contains'. bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
