Control: retitle -1 CVE-2015-6727 CVE-2015-6728 CVE-2015-6730 Hi Thorsten,
On Wed, Sep 16, 2015 at 03:31:31PM +0200, Thorsten Glaser wrote: > On Tue, 15 Sep 2015, Salvatore Bonaccorso wrote: > > > CVE-2015-6729[2]: > > | Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki > > | before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows > > | remote attackers to inject arbitrary web script or HTML via the rel404 > > | parameter, which is not properly handled in an error page. > > 1.19 is not vulnerable against this as it never echos the passed string. > This was added e.g. in commit a04d9cb7487773e102285de13b7092a2bc9b6821 > first released in 1.21.0 according to 'git tag --contains'. Thanks for the correction. I have now updated the security-tracker, so should reflect correct status soon. Regards, Salvatore _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
