Candidate: CVE-2013-4303
PublicDate: 2019-12-11 19:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4303
 https://bugzilla.wikimedia.org/show_bug.cgi?id=52746
 https://phabricator.wikimedia.org/T54746
 https://www.mediawiki.org/wiki/Release_notes/1.19#MediaWiki_1.19.8
Description:
 includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x
 before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not
 properly detect extensions when there are an even number of "." (period)
 characters in a string, which allows remote attackers to conduct cross-site
 scripting (XSS) attacks via the siprop parameter in a query action to
 wiki/api.php.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1 MEDIUM]

Patches_mediawiki:
upstream_mediawiki: released (1:1.19.8+dfsg-1)
lucid_mediawiki: ignored (reached end-of-life)
precise_mediawiki: ignored (reached end-of-life)
precise/esm_mediawiki: DNE (precise was needed)
quantal_mediawiki: ignored (reached end-of-life)
raring_mediawiki: ignored (reached end-of-life)
saucy_mediawiki: not-affected (1:1.19.8+dfsg-1)
trusty_mediawiki: not-affected (1:1.19.8+dfsg-1)
trusty/esm_mediawiki: DNE
utopic_mediawiki: not-affected (1:1.19.8+dfsg-1)
vivid_mediawiki: not-affected (1:1.19.8+dfsg-1)
vivid/stable-phone-overlay_mediawiki: DNE
vivid/ubuntu-core_mediawiki: DNE
wily_mediawiki: not-affected (1:1.19.8+dfsg-1)
xenial_mediawiki: DNE
yakkety_mediawiki: not-affected (1:1.19.8+dfsg-1)
zesty_mediawiki: not-affected (1:1.19.8+dfsg-1)
artful_mediawiki: not-affected (1:1.19.8+dfsg-1)
bionic_mediawiki: not-affected (1:1.19.8+dfsg-1)
cosmic_mediawiki: not-affected (1:1.19.8+dfsg-1)
disco_mediawiki: not-affected (1:1.19.8+dfsg-1)
eoan_mediawiki: not-affected (1:1.19.8+dfsg-1)
focal_mediawiki: not-affected (1:1.19.8+dfsg-1)
groovy_mediawiki: not-affected (1:1.19.8+dfsg-1)
hirsute_mediawiki: not-affected (1:1.19.8+dfsg-1)
impish_mediawiki: not-affected (1:1.19.8+dfsg-1)
jammy_mediawiki: not-affected (1:1.19.8+dfsg-1)
devel_mediawiki: not-affected (1:1.19.8+dfsg-1)