CVE-2009-0737

NameCVE-2009-0737
DescriptionMultiple cross-site scripting (XSS) vulnerabilities in the web-based installer (config/index.php) in MediaWiki 1.6 before 1.6.12, 1.12 before 1.12.4, and 1.13 before 1.13.4, when the installer is in active use, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-1901-1
NVD severitylow (attack range: remote)
Debian Bugs514547

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mediawiki (PTS)wheezy, wheezy (security)1:1.19.20+dfsg-0+deb7u3fixed
stretch (security), stretch1:1.27.4-1~deb9u1fixed
buster, sid1:1.27.4-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mediawikisource(unstable)1:1.14.0-1low514547
mediawikisourceetch(not affected)
mediawikisourcelenny1:1.12.0-2lenny3low
mediawiki1.7source(unstable)(unfixed)low
mediawiki1.7sourceetch1.7.1-9etch1lowDSA-1901-1

Notes

[etch] - mediawiki <not-affected> (metapackage)

Search for package or bug name: Reporting problems