CVE-2009-0737

Multiple cross-site scripting (XSS) vulnerabilities in the web-based installer (config/index.php) in MediaWiki 1.6 before 1.6.12, 1.12 before 1.12.4, and 1.13 before 1.13.4, when the installer is in active use, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS v2.0 2.6 LOW

2.6^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:N/AC:H/Au:N/C:N/I:P/A:N

Exploitability : 4.9 / Impact : 2.9

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_13_4/phase3/RELEASE-NOTES	Vendor Advisory
http://www.securityfocus.com/bid/33681	Patch
http://www.vupen.com/english/advisories/2009/0368	Patch Vendor Advisory
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_6_12/phase3/RELEASE-NOTES	Vendor Advisory
http://secunia.com/advisories/33881	Vendor Advisory
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_12_4/phase3/RELEASE-NOTES	Vendor Advisory
http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-February/000083.html	Patch
http://www.debian.org/security/2009/dsa-1901

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mediawiki:mediawiki:1.12.0:::::::*
	cpe:2.3:a:mediawiki:mediawiki:1.13.0:rc2::::::
	cpe:2.3:a:mediawiki:mediawiki:1.13.1:::::::*
	cpe:2.3:a:mediawiki:mediawiki:1.6.5:::::::*
	cpe:2.3:a:mediawiki:mediawiki:1.6.6:::::::*
	cpe:2.3:a:mediawiki:mediawiki:1.12.0:rc1::::::
	cpe:2.3:a:mediawiki:mediawiki:1.12.1:::::::*
	cpe:2.3:a:mediawiki:mediawiki:1.13.0:::::::*
	cpe:2.3:a:mediawiki:mediawiki:1.13.0:rc1::::::
	cpe:2.3:a:mediawiki:mediawiki:1.6.3:::::::*
	cpe:2.3:a:mediawiki:mediawiki:1.6.4:::::::*
	cpe:2.3:a:mediawiki:mediawiki:1.12.3:::::::*
	cpe:2.3:a:mediawiki:mediawiki:1.6.2:::::::*
	cpe:2.3:a:mediawiki:mediawiki:1.6.10:::::::*
	cpe:2.3:a:mediawiki:mediawiki:1.6.7:::::::*
	cpe:2.3:a:mediawiki:mediawiki:1.6.9:::::::*
	cpe:2.3:a:mediawiki:mediawiki:1.6.11:::::::*
	cpe:2.3:a:mediawiki:mediawiki:1.13.3:::::::*
	cpe:2.3:a:mediawiki:mediawiki:1.6.0:::::::*
	cpe:2.3:a:mediawiki:mediawiki:1.6.1:::::::*
	cpe:2.3:a:mediawiki:mediawiki:1.13.2:::::::*
	cpe:2.3:a:mediawiki:mediawiki:1.6.8:::::::*
	cpe:2.3:a:mediawiki:mediawiki:1.12.2:::::::*

Information

Published : 2009-02-25 12:30

Updated : 2009-10-13 22:22

NVD link : CVE-2009-0737

Mitre link : CVE-2009-0737

JSON object : View

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Products Affected

mediawiki

mediawiki

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_13_4/phase3/RELEASE-NOTES", "name": "http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_13_4/phase3/RELEASE-NOTES", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://www.securityfocus.com/bid/33681", "name": "33681", "tags": ["Patch"], "refsource": "BID"}, {"url": "http://www.vupen.com/english/advisories/2009/0368", "name": "ADV-2009-0368", "tags": ["Patch", "Vendor Advisory"], "refsource": "VUPEN"}, {"url": "http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_6_12/phase3/RELEASE-NOTES", "name": "http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_6_12/phase3/RELEASE-NOTES", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://secunia.com/advisories/33881", "name": "33881", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_12_4/phase3/RELEASE-NOTES", "name": "http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_12_4/phase3/RELEASE-NOTES", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-February/000083.html", "name": "[MediaWiki-announce] 20090207 MediaWiki releases: security update and new major branch", "tags": ["Patch"], "refsource": "MLIST"}, {"url": "http://www.debian.org/security/2009/dsa-1901", "name": "DSA-1901", "tags": [], "refsource": "DEBIAN"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in the web-based installer (config/index.php) in MediaWiki 1.6 before 1.6.12, 1.12 before 1.12.4, and 1.13 before 1.13.4, when the installer is in active use, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-79"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2009-0737", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 2.6, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "LOW", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 4.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2009-02-25T20:30Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:1.12.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:1.13.0:rc2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:1.13.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:1.6.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:1.6.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:1.12.0:rc1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:1.12.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:1.13.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:1.13.0:rc1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:1.6.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:1.6.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:1.12.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:1.6.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:1.6.10:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:1.6.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:1.6.9:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:1.6.11:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:1.13.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:1.6.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:1.6.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:1.13.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:1.6.8:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:1.12.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2009-10-14T05:22Z"}

2.6 /10