Candidate: CVE-2014-2853
PublicDate: 2014-04-29 18:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2853
 https://www.mediawiki.org/wiki/Release_notes/1.22#Changes_since_1.22.5
 https://www.mediawiki.org/wiki/Release_notes/1.21#Changes_since_1.21.8
 https://github.com/wikimedia/mediawiki-core/commit/0b695ae09aada343ab59be4a3c9963995a1143b6
 https://bugzilla.wikimedia.org/show_bug.cgi?id=63251
 https://bugzilla.redhat.com/show_bug.cgi?id=1091967
 http://secunia.com/advisories/58262
 http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-April/000149.html
Description:
 Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php
 in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers
 to inject arbitrary web script or HTML via the sort key in an info action.
Ubuntu-Description:
Notes:
 ebarretto> On 1.19 action=info is disabled by default.
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_mediawiki:
upstream_mediawiki: released (1.21.9,1.22.6)
lucid_mediawiki: ignored (reached end-of-life)
precise_mediawiki: ignored (reached end-of-life)
precise/esm_mediawiki: DNE (precise was needed)
quantal_mediawiki: ignored (reached end-of-life)
saucy_mediawiki: ignored (reached end-of-life)
trusty_mediawiki: not-affected
trusty/esm_mediawiki: DNE (trusty was not-affected)
utopic_mediawiki: ignored (reached end-of-life)
vivid_mediawiki: ignored (reached end-of-life)
vivid/stable-phone-overlay_mediawiki: DNE
vivid/ubuntu-core_mediawiki: DNE
wily_mediawiki: ignored (reached end-of-life)
xenial_mediawiki: DNE
yakkety_mediawiki: ignored (reached end-of-life)
zesty_mediawiki: ignored (reached end-of-life)
artful_mediawiki: ignored (reached end-of-life)
bionic_mediawiki: not-affected (1.22.6)
cosmic_mediawiki: not-affected (1.22.6)
devel_mediawiki: not-affected (1.22.6)