Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2014-3966

Cross-site scripting (XSS) vulnerability in Special:PasswordReset in MediaWiki before 1.19.16, 1.21.x before 1.21.10, and 1.22.x before 1.22.7, when wgRawHtml is enabled, allows remote attackers to inject arbitrary web script or HTML via an invalid username.

Related bugs and status

CVE-2014-3966 (Candidate) is related to these bugs:

Bug #1370227: Mediawiki package vulnerable to CVE-2014-2665

Summary				In	Importance	Status
	1370227	Mediawiki package vulnerable to CVE-2014-2665		mediawiki (Ubuntu)	Undecided	Expired

See the

CVE page on Mitre.org for more details.

References

MLIST: [MediaWiki-announce] 2...
MLIST: [oss-security] 2014060...
CONFIRM: https://bugzilla.wikim...
BID: 67787
SECUNIA: 58896
SECUNIA: 58834
SECTRACK: 1030364
DEBIAN: DSA-2957