what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 3 of 3 RSS Feed

CVE-2013-4302

Status Candidate

Overview

(1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ApiMain.php, (5) ApiQueryDeletedrevs.php, (6) ApiTokens.php, and (7) ApiUnblock.php in includes/api/ in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow remote attackers to obtain CSRF tokens and bypass the cross-site request forgery (CSRF) protection mechanism via a JSONP request to wiki/api.php.

Related Files

Gentoo Linux Security Advisory 201310-21
Posted Oct 28, 2013
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201310-21 - Multiple vulnerabilities have been found in MediaWiki, the worst of which could lead to Denial of Service. Versions less than 1.21.2 are affected.

tags | advisory, denial of service, vulnerability
systems | linux, gentoo
advisories | CVE-2013-1816, CVE-2013-1817, CVE-2013-1818, CVE-2013-1951, CVE-2013-2031, CVE-2013-2032, CVE-2013-2114, CVE-2013-4301, CVE-2013-4302, CVE-2013-4303, CVE-2013-4304, CVE-2013-4305, CVE-2013-4306, CVE-2013-4307, CVE-2013-4308
SHA-256 | ac99ffc7a59e19273c6f7c08c59b9e2e2bc135cfd07f27fd127001d0bd0ca8d6
Mandriva Linux Security Advisory 2013-235
Posted Sep 16, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-235 - Multiple vulnerabilities has been discovered and corrected in mediawiki. Full path disclosure in MediaWiki before 1.20.7, when an invalid language is specified in ResourceLoader. Several API modules in MediaWiki before 1.20.7 allowed anti-CSRF tokens to be accessed via JSONP. An issue with the MediaWiki API in MediaWiki before 1.20.7 where an invalid property name could be used for XSS with older versions of Internet Explorer. Several unspecified security issues were fixed with the 1.20.6 version. This replaces the MediaWiki 1.16.5 version, which has been EOL upstream for quite some time now, that was shipped with MBS 1. MediaWiki removed the Math extension for the 1.18 release, but it is now available separately. It has been packaged in the mediawiki-math package. The mediawiki-graphviz and mediawiki-ldapauthentication packages have also been updated to work with the new MediaWiki packages. The updated packages provides a solution to these issues.

tags | advisory, vulnerability
systems | linux, mandriva
advisories | CVE-2013-4301, CVE-2013-4302, CVE-2013-4303
SHA-256 | 59975cc64e426aac4d28c6370707a149449b05281ac9ce4423d50df3c6b488da
Debian Security Advisory 2753-1
Posted Sep 13, 2013
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2753-1 - It was discovered that in Mediawiki, a wiki engine, several API modules allowed anti-CSRF tokens to be accessed via JSONP. These tokens protect against cross site request forgeries and are confidential.

tags | advisory
systems | linux, debian
advisories | CVE-2013-4302
SHA-256 | 48974ef0719214c241b3c1f2c20f0ed60828b426c7894f1ff79b784caed12264
Page 1 of 1
Back1Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close