Vulnerability CVE-2012-4378

Vulnerability Name:

CVE-2012-4378 (CCN-134310)

Assigned:

2012-08-31

Published:

2012-08-31

Updated:

2017-10-31

Summary:

Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki before 1.18.5 and 1.19.x before 1.19.2, when unspecified JavaScript gadgets are used, allow remote attackers to inject arbitrary web script or HTML via the userlang parameter to w/index.php.

CVSS v3 Severity:

6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2012-4378

Source: CCN
Type: oss-sec Mailing List, Fri, 31 Aug 2012 11:51:51 -0600
Re: CVE Request -- MediaWiki 1.19.2 and 1.18.5 multiple security flaws

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[oss-security] 20120831 Re: CVE Request -- MediaWiki 1.19.2 and 1.18.5 multiple security flaws

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[oss-security] 20120831 CVE Request -- MediaWiki 1.19.2 and 1.18.5 multiple security flaws

Source: MISC
Type: Issue Tracking, Third Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330

Source: CONFIRM
Type: Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=853417

Source: XF
Type: UNKNOWN
mediawiki-cve20124378-xss(134310)

Source: MLIST
Type: Patch, Vendor Advisory
[MediaWiki-announce] 20120831 MediaWiki security release: 1.19.2 and 1.18.5

Source: CONFIRM
Type: Issue Tracking, Patch, Vendor Advisory
https://phabricator.wikimedia.org/T39587

Source: CCN
Type: MediaWiki Web site
MediaWiki

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2012-4378

Vulnerable Configuration:

Configuration 1:

cpe:/a:mediawiki:mediawiki:*:*:*:*:*:*:*:* (Version <= 1.18.4)

OR cpe:/a:mediawiki:mediawiki:1.19.0:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.19.1:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:mediawiki:mediawiki:1.18.4:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.19.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.artful:def:20124378000	V	CVE-2012-4378 on Ubuntu 17.10 (artful) - medium.	2017-10-26
oval:com.ubuntu.bionic:def:201243780000000	V	CVE-2012-4378 on Ubuntu 18.04 LTS (bionic) - medium.	2017-10-26
oval:com.ubuntu.bionic:def:20124378000	V	CVE-2012-4378 on Ubuntu 18.04 LTS (bionic) - medium.	2017-10-26
oval:com.ubuntu.trusty:def:20124378000	V	CVE-2012-4378 on Ubuntu 14.04 LTS (trusty) - medium.	2017-10-26
oval:com.ubuntu.precise:def:20124378000	V	CVE-2012-4378 on Ubuntu 12.04 LTS (precise) - medium.	2012-09-03

BACK