CVE-2013-2031

Current Description

MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by a CDATA section containing valid UTF-7 encoded sequences in a SVG file, which is then incorrectly interpreted as UTF-8 by Chrome and Firefox.

Basic Data

PublishedNovember 18, 2013
Last ModifiedDecember 31, 2016
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-79
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactNONE
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score4.3
SeverityMEDIUM
Exploitability Score8.6
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSGentooLinux********
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationMediawikiMediawiki1.1.0*******
    2.3ApplicationMediawikiMediawiki1.10.0*******
    2.3ApplicationMediawikiMediawiki1.10.0rc1******
    2.3ApplicationMediawikiMediawiki1.10.0rc2******
    2.3ApplicationMediawikiMediawiki1.10.1*******
    2.3ApplicationMediawikiMediawiki1.10.2*******
    2.3ApplicationMediawikiMediawiki1.10.3*******
    2.3ApplicationMediawikiMediawiki1.10.4*******
    2.3ApplicationMediawikiMediawiki1.11*******
    2.3ApplicationMediawikiMediawiki1.11.0*******
    2.3ApplicationMediawikiMediawiki1.11.0rc1******
    2.3ApplicationMediawikiMediawiki1.11.1*******
    2.3ApplicationMediawikiMediawiki1.11.2*******
    2.3ApplicationMediawikiMediawiki1.12.0*******
    2.3ApplicationMediawikiMediawiki1.12.0rc1******
    2.3ApplicationMediawikiMediawiki1.12.1*******
    2.3ApplicationMediawikiMediawiki1.12.2*******
    2.3ApplicationMediawikiMediawiki1.12.3*******
    2.3ApplicationMediawikiMediawiki1.12.4*******
    2.3ApplicationMediawikiMediawiki1.13.0*******
    2.3ApplicationMediawikiMediawiki1.13.0rc1******
    2.3ApplicationMediawikiMediawiki1.13.0rc2******
    2.3ApplicationMediawikiMediawiki1.13.1*******
    2.3ApplicationMediawikiMediawiki1.13.2*******
    2.3ApplicationMediawikiMediawiki1.13.3*******
    2.3ApplicationMediawikiMediawiki1.13.4*******
    2.3ApplicationMediawikiMediawiki1.14.0*******
    2.3ApplicationMediawikiMediawiki1.14.0rc1******
    2.3ApplicationMediawikiMediawiki1.14.1*******
    2.3ApplicationMediawikiMediawiki1.15.0*******
    2.3ApplicationMediawikiMediawiki1.15.0rc1******
    2.3ApplicationMediawikiMediawiki1.15.1*******
    2.3ApplicationMediawikiMediawiki1.15.2*******
    2.3ApplicationMediawikiMediawiki1.15.3*******
    2.3ApplicationMediawikiMediawiki1.15.4*******
    2.3ApplicationMediawikiMediawiki1.15.5*******
    2.3ApplicationMediawikiMediawiki1.16.0*******
    2.3ApplicationMediawikiMediawiki1.16.0beta1******
    2.3ApplicationMediawikiMediawiki1.16.0beta2******
    2.3ApplicationMediawikiMediawiki1.16.0beta3******
    2.3ApplicationMediawikiMediawiki1.16.1*******
    2.3ApplicationMediawikiMediawiki1.16.2*******
    2.3ApplicationMediawikiMediawiki1.17*******
    2.3ApplicationMediawikiMediawiki1.17beta_1******
    2.3ApplicationMediawikiMediawiki1.17.0*******
    2.3ApplicationMediawikiMediawiki1.17.0rc1******
    2.3ApplicationMediawikiMediawiki1.17.1*******
    2.3ApplicationMediawikiMediawiki1.17.2*******
    2.3ApplicationMediawikiMediawiki1.17.3*******
    2.3ApplicationMediawikiMediawiki1.17.4*******
    2.3ApplicationMediawikiMediawiki1.18*******
    2.3ApplicationMediawikiMediawiki1.18beta_1******
    2.3ApplicationMediawikiMediawiki1.18.0*******
    2.3ApplicationMediawikiMediawiki1.18.0rc1******
    2.3ApplicationMediawikiMediawiki1.18.1*******
    2.3ApplicationMediawikiMediawiki1.18.2*******
    2.3ApplicationMediawikiMediawiki1.18.3*******
    2.3ApplicationMediawikiMediawiki1.19*******
    2.3ApplicationMediawikiMediawiki1.19beta_1******
    2.3ApplicationMediawikiMediawiki1.19beta_2******
    2.3ApplicationMediawikiMediawiki1.19.0*******
    2.3ApplicationMediawikiMediawiki1.19.1*******
    2.3ApplicationMediawikiMediawiki1.19.2*******
    2.3ApplicationMediawikiMediawiki1.19.3*******
    2.3ApplicationMediawikiMediawiki1.19.4*******
    2.3ApplicationMediawikiMediawiki********1.19.5
    2.3ApplicationMediawikiMediawiki1.20.1*******
    2.3ApplicationMediawikiMediawiki1.20.2*******
    2.3ApplicationMediawikiMediawiki1.20.3*******
    2.3ApplicationMediawikiMediawiki1.20.4*******

Vulnerable Software List

VendorProductVersions
Mediawiki Mediawiki *, 1.1.0, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.11, 1.11.0, 1.11.1, 1.11.2, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.14.0, 1.14.1, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.15.4, 1.15.5, 1.16.0, 1.16.1, 1.16.2, 1.17, 1.17.0, 1.17.1, 1.17.2, 1.17.3, 1.17.4, 1.18, 1.18.0, 1.18.1, 1.18.2, 1.18.3, 1.19, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.19.4, 1.20.1, 1.20.2, 1.20.3, 1.20.4
Gentoo Linux *

References

NameSourceURLTags
FEDORA-2013-7701http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105784.htmlFEDORA
FEDORA-2013-7714http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105825.htmlFEDORA
FEDORA-2013-7654http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106293.htmlFEDORA
[MediaWiki-announce] 20130430 MediaWiki Security Release: 1.20.5 and 1.19.6http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-April/000129.htmlMLISTPatch
55433http://secunia.com/advisories/55433SECUNIAVendor Advisory
57472http://secunia.com/advisories/57472SECUNIA
GLSA-201310-21http://security.gentoo.org/glsa/glsa-201310-21.xmlGENTOO
DSA-2891http://www.debian.org/security/2014/dsa-2891DEBIAN
[oss-security] 20130501 Re: Mediawiki CVE request ( was Fw: [MediaWiki-announce] MediaWiki Security Release: 1.20.5 and 1.19.6)http://www.openwall.com/lists/oss-security/2013/05/01/2MLIST
59594http://www.securityfocus.com/bid/59594BID
https://bugzilla.wikimedia.org/show_bug.cgi?id=47304https://bugzilla.wikimedia.org/show_bug.cgi?id=47304CONFIRM