Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 27 Sep 2014 00:26:10 -0400 (EDT)
From: cve-assign@...re.org
To: hanno@...eck.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: Mediawiki before 1.19.19, 1.22.11 and 1.23.4 insufficient CSS filtering of SVGs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> From: Chris Steipp
> The issue was that javascript could be injected via the css, so basic xss.

> https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-September/000161.html
> https://bugzilla.wikimedia.org/show_bug.cgi?id=69008
> https://gerrit.wikimedia.org/r/#/c/162777/
> 
> 
> * (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter
>   <style> elements; normalize style elements and attributes before
>   filtering; add checks for attributes that contain css; add unit tests
>   for html5sec and reported bugs.

Use CVE-2014-7199.

(This set of issues had multiple discoverers but apparently all of the
discoverers are among the primary MediaWiki developers or reviewers
and thus there aren't separate CVEs for each discoverer.)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUJjvDAAoJEKllVAevmvmsX34H/RYV27EGsrpNF6ZAPVpzpzuc
SGiXSM4drnmPSWUGted+y7UixP76w6a2+aQhdb3d9IVbheysQAFCjFD8cORme4Sj
ibUXzzOVCItztaYenPanAmtbPaTyhqPY1ORHVD+sYwGfuJ++KbaSnZE9RrfE5sDq
kem17lbFBcEmKqlM3+lKwyaAoZe83BJHjeAgtGlnPbGqSRbjR5ZXQsEhiLzFUw3y
AP8FD3AfSm7cKLVqEevVdo5n83UVByiGjfkW3YRqnKBSsLfNg6FIN9FuSvf/JqS7
T9pJs8XOFy7RtYFwoiNldgiBTPdsFwxhi6ii16jEabFowckJyJW9VjgDFa1CLss=
=aB5+
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.