CVE-2013-6454

Name	CVE-2013-6454
Description	Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via a -o-link attribute.
Source	CVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
References	DSA-2891-1
NVD severity	medium (attack range: remote, user-initiated)
Debian/oldstable	package mediawiki is vulnerable.
Debian/stable	not vulnerable.
Debian/testing	not vulnerable.
Debian/unstable	not vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
mediawiki (PTS)	squeeze (security), squeeze	1:1.15.5-2squeeze6	vulnerable
	wheezy, wheezy (security)	1:1.19.20+dfsg-0+deb7u3	fixed
	jessie, sid	1:1.19.20+dfsg-2.2	fixed
mediawiki-extensions (PTS)	wheezy, wheezy (security)	3.5~deb7u2	fixed

The information above is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin
mediawiki	source	(unstable)	1:1.19.10+dfsg-1	medium
mediawiki	source	squeeze	(unfixed)	end-of-life
mediawiki	source	wheezy	1:1.19.14+dfsg-0+deb7u1	medium	DSA-2891-1
mediawiki-extensions	source	wheezy	3.5~deb7u1	medium	DSA-2891-1

https://bugzilla.wikimedia.org/show_bug.cgi?id=58472