CVE-2014-3966 Information

Description

Cross-site scripting (XSS) vulnerability in Special:PasswordReset in MediaWiki before 1.19.16 1.21.x before 1.21.10 and 1.22.x before 1.22.7 when wgRawHtml is enabled allows remote attackers to inject arbitrary web script or HTML via an invalid username.

Reference

http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-May/000151.html http://secunia.com/advisories/58834 http://secunia.com/advisories/58896 http://www.debian.org/security/2014/dsa-2957 http://www.openwall.com/lists/oss-security/2014/06/04/15 http://www.securityfocus.com/bid/67787 http://www.securitytracker.com/id/1030364 https://bugzilla.wikimedia.org/show_bug.cgi?id=65501