ID CVE-2017-8812
Summary MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows remote attackers to inject > (greater than) characters via the id attribute of a headline.
References
Vulnerable Configurations
  • MediaWiki 1.27.3
    cpe:2.3:a:mediawiki:mediawiki:1.27.3
  • MediaWiki 1.28.0
    cpe:2.3:a:mediawiki:mediawiki:1.28.0
  • MediaWiki 1.28.1
    cpe:2.3:a:mediawiki:mediawiki:1.28.1
  • MediaWiki 1.28.2
    cpe:2.3:a:mediawiki:mediawiki:1.28.2
  • MediaWiki 1.29.0
    cpe:2.3:a:mediawiki:mediawiki:1.29.0
  • MediaWiki 1.29.1
    cpe:2.3:a:mediawiki:mediawiki:1.29.1
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
CVSS
Base: 5.0
Impact:
Exploitability:
CWE CWE-284
CAPEC
  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4036.NASL
    description Multiple security vulnerabilities have been discovered in MediaWiki, a website engine for collaborative work : - CVE-2017-8808 Cross-site-scripting with non-standard URL escaping and $wgShowExceptionDetails disabled. - CVE-2017-8809 Reflected file download in API. - CVE-2017-8810 On private wikis the login form didn't distinguish between login failure due to bad username and bad password. - CVE-2017-8811 It was possible to mangle HTML via raw message parameter expansion. - CVE-2017-8812 id attributes in headlines allowed raw '>'. - CVE-2017-8814 Language converter could be tricked into replacing text inside tags. - CVE-2017-8815 Unsafe attribute injection via glossary rules in language converter.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104588
    published 2017-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104588
    title Debian DSA-4036-1 : mediawiki - security update
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_298829E2CCCE11E792E4000C29649F92.NASL
    description mediawiki reports : security fixes : T128209: Reflected File Download from api.php. Reported by Abdullah Hussam. T165846: BotPasswords doesn't throttle login attempts. T134100: On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password. T178451: XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping. T176247: It's possible to mangle HTML via raw message parameter expansion. T125163: id attribute on headlines allow raw. T124404: language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition. T119158: Language converter: unsafe attribute injection via glossary rules. T180488: api.log contains passwords in plaintext wasn't correctly fixed. T180231: composer.json has require-dev versions of PHPUnit with known security issues. Reported by Tom Hutchison.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104693
    published 2017-11-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104693
    title FreeBSD : mediawiki -- multiple vulnerabilities (298829e2-ccce-11e7-92e4-000c29649f92)
refmap via4
confirm https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html
debian DSA-4036
sectrack 1039812
Last major update 15-11-2017 - 03:29
Published 15-11-2017 - 03:29
Last modified 28-11-2017 - 12:12
Back to Top