DSA-3046-1 mediawiki -- mediawikiID: oval:org.secpod.oval:def:601796 | Date: (C)2014-10-17 (M)2022-10-10 |
Class: PATCH | Family: unix |
It was reported that MediaWiki, a website engine for collaborative work, allowed to load user-created CSS on pages where user-created JavaScript is not allowed. A wiki user could be tricked into performing actions by manipulating the interface from CSS, or JavaScript code being executed from CSS, on security-wise sensitive pages like Special:Preferences and Special:UserLogin. This update removes the separation of CSS and JavaScript module allowance.