CVE-2008-5250

NameCVE-2008-5250
DescriptionCross-site scripting (XSS) vulnerability in MediaWiki before 1.6.11, 1.12.x before 1.12.2, and 1.13.x before 1.13.3, when Internet Explorer is used and uploads are enabled, or an SVG scripting browser is used and SVG uploads are enabled, allows remote authenticated users to inject arbitrary web script or HTML by editing a wiki page.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-1901-1, DTSA-186-1
Debian Bugs508869

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mediawiki (PTS)buster1:1.31.16-1+deb10u2fixed
buster (security)1:1.31.16-1+deb10u7fixed
bullseye (security), bullseye1:1.35.13-1~deb11u1fixed
bookworm, bookworm (security)1:1.39.5-1~deb12u1fixed
sid, trixie1:1.39.6-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mediawikisourceetch(not affected)
mediawikisourcelenny1:1.12.0-2lenny2DTSA-186-1
mediawikisource(unstable)1:1.13.3-1508869
mediawiki1.7sourceetch1.7.1-9etch1DSA-1901-1
mediawiki1.7source(unstable)(unfixed)

Notes

[etch] - mediawiki <not-affected> (metapackage)

Search for package or bug name: Reporting problems