CVE-2008-5250 - Vulnerability Details - OpenCVE

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.6.11, 1.12.x before 1.12.2, and 1.13.x before 1.13.3, when Internet Explorer is used and uploads are enabled, or an SVG scripting browser is used and SVG uploads are enabled, allows remote authenticated users to inject arbitrary web script or HTML by editing a wiki page.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mediawiki	Mediawiki

Configuration 1 [-]

OR	cpe:2.3:a:mediawiki:mediawiki:1.6.11:::::::*
	cpe:2.3:a:mediawiki:mediawiki:1.12.0:::::::*
	cpe:2.3:a:mediawiki:mediawiki:1.12.1:::::::*
	cpe:2.3:a:mediawiki:mediawiki:1.13.0:::::::*
	cpe:2.3:a:mediawiki:mediawiki:1.13.1:::::::*
	cpe:2.3:a:mediawiki:mediawiki:1.13.2:::::::*

No data.

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
http://lists.wikimedia.org/pipermail/mediawiki-announce/2008-December/000080.html
http://secunia.com/advisories/33133
http://secunia.com/advisories/33349
http://www.debian.org/security/2009/dsa-1901
http://www.securityfocus.com/bid/32844
https://www.redhat.com/archives/fedora-package-announce/2008-December/msg01256.html
https://www.redhat.com/archives/fedora-package-announce/2008-December/msg01309.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2008-12-19T17:00:00

Updated: 2024-08-07T10:49:11.913Z

Reserved: 2008-11-26T00:00:00

Link: CVE-2008-5250

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2008-12-19T17:30:03.110

Modified: 2025-04-09T00:30:58.490

Link: CVE-2008-5250

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-12-15T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in MediaWiki before 1.6.11, 1.12.x before 1.12.2, and 1.13.x before 1.13.3, when Internet Explorer is used and uploads are enabled, or an SVG scripting browser is used and SVG uploads are enabled, allows remote authenticated users to inject arbitrary web script or HTML by editing a wiki page."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2009-01-01T10:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "FEDORA-2008-11802", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg01309.html"}, {"name": "DSA-1901", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2009/dsa-1901"}, {"name": "33133", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/33133"}, {"name": "SUSE-SR:2009:004", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"}, {"name": "[mediawiki-announce] 20081215 MediaWiki 1.13.3, 1.12.2, 1.6.11 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2008-December/000080.html"}, {"name": "32844", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/32844"}, {"name": "FEDORA-2008-11688", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg01256.html"}, {"name": "33349", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/33349"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-5250", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site scripting (XSS) vulnerability in MediaWiki before 1.6.11, 1.12.x before 1.12.2, and 1.13.x before 1.13.3, when Internet Explorer is used and uploads are enabled, or an SVG scripting browser is used and SVG uploads are enabled, allows remote authenticated users to inject arbitrary web script or HTML by editing a wiki page."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "FEDORA-2008-11802", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg01309.html"}, {"name": "DSA-1901", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2009/dsa-1901"}, {"name": "33133", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/33133"}, {"name": "SUSE-SR:2009:004", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"}, {"name": "[mediawiki-announce] 20081215 MediaWiki 1.13.3, 1.12.2, 1.6.11 security update", "refsource": "MLIST", "url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2008-December/000080.html"}, {"name": "32844", "refsource": "BID", "url": "http://www.securityfocus.com/bid/32844"}, {"name": "FEDORA-2008-11688", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg01256.html"}, {"name": "33349", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/33349"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T10:49:11.913Z"}, "title": "CVE Program Container", "references": [{"name": "FEDORA-2008-11802", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg01309.html"}, {"name": "DSA-1901", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2009/dsa-1901"}, {"name": "33133", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/33133"}, {"name": "SUSE-SR:2009:004", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"}, {"name": "[mediawiki-announce] 20081215 MediaWiki 1.13.3, 1.12.2, 1.6.11 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2008-December/000080.html"}, {"name": "32844", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/32844"}, {"name": "FEDORA-2008-11688", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg01256.html"}, {"name": "33349", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/33349"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-5250", "datePublished": "2008-12-19T17:00:00", "dateReserved": "2008-11-26T00:00:00", "dateUpdated": "2024-08-07T10:49:11.913Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mediawiki:mediawiki:1.6.11:*:*:*:*:*:*:*", "matchCriteriaId": "9842D148-50D2-4A52-A3E1-529670A25EBD", "vulnerable": true}, {"criteria": "cpe:2.3:a:mediawiki:mediawiki:1.12.0:*:*:*:*:*:*:*", "matchCriteriaId": "746023B5-2472-4FC9-BEDF-FE6A321F12B9", "vulnerable": true}, {"criteria": "cpe:2.3:a:mediawiki:mediawiki:1.12.1:*:*:*:*:*:*:*", "matchCriteriaId": "66714539-F1E1-4C16-AA12-059EEB1B9DF6", "vulnerable": true}, {"criteria": "cpe:2.3:a:mediawiki:mediawiki:1.13.0:*:*:*:*:*:*:*", "matchCriteriaId": "79CDE6D3-A26D-4ECD-B949-B9DDB53F67C3", "vulnerable": true}, {"criteria": "cpe:2.3:a:mediawiki:mediawiki:1.13.1:*:*:*:*:*:*:*", "matchCriteriaId": "A26F4C94-E3A5-456E-8E5E-36BA67DD4BD5", "vulnerable": true}, {"criteria": "cpe:2.3:a:mediawiki:mediawiki:1.13.2:*:*:*:*:*:*:*", "matchCriteriaId": "C7C6D23B-B5C1-4F10-9F62-E81F639FF40F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in MediaWiki before 1.6.11, 1.12.x before 1.12.2, and 1.13.x before 1.13.3, when Internet Explorer is used and uploads are enabled, or an SVG scripting browser is used and SVG uploads are enabled, allows remote authenticated users to inject arbitrary web script or HTML by editing a wiki page."}, {"lang": "es", "value": "Una vulnerabilidad de ejecuci\u00f3n de secuencias de comandos en sitios cruzados en versiones de MediaWiki anteriores a 1.6.11, 1.12.x anteriores a 1.12.2, y 1.13.3 anteriores a 1.13.x, cuando se esta usando Internet Explorer y las subidas est\u00e1n habilitadas, o bien cuando un navegador que permita secuencias de comandos SVG se este usando y las subidas SVG est\u00e9n habilitadas, permite a usuarios remotos autenticados inyectar HTML o secuencias de comandos web arbitrarias durante la edici\u00f3n de una p\u00e1gina del wiki."}], "id": "CVE-2008-5250", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2008-12-19T17:30:03.110", "references": [{"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2008-December/000080.html"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://secunia.com/advisories/33133"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/33349"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2009/dsa-1901"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/32844"}, {"source": "cve@mitre.org", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg01256.html"}, {"source": "cve@mitre.org", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg01309.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2008-December/000080.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://secunia.com/advisories/33133"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/33349"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2009/dsa-1901"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/32844"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg01256.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg01309.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}