==================================================================== CERT-Renater Note d'Information No. 2012/VULN472 ____________________________________________________________________ DATE : 28/11/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running MediaWiki versions prior to 1.18.6, 1.19.3, 1.20.1. ====================================================================== http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-November/000121.html ______________________________________________________________________ On Thursday, November 29th, between 21:00-22:00 UTC (1-2pm PST) Wikimedia Foundation will release security updates for current and supported branches of the MediaWiki software. We are providing this pre-announcement as a courtesy for administrators to be ready to accept the fix for these on Thursday. We will send another announcement email when the patches and tar files are ready for download. * Vulnerabilities were found in both MediaWiki core and the CentralAuth extension. Successful exploitation could allow an attacker to compromise another user's account. Risk is considered moderate (CVSS Base Score: 4). * One vulnerability was discovered that could allow an attacker to prevent users from viewing Special:RecentChanges, and other pages, which could prevent the detection of SPAM or vandalism. Public wikis are encouraged to upgrade. * A flaw in the MediaWiki 1.20 API could allow a stored XSS. Exploitation requires user interaction or an existing XSS vulnerability, so risk of exploitation is low. For information about how to upgrade, see ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================