CVE-2011-1587
MediaWiki < 1.16.4 - Cross-Site Scripting via File Upload with Modified URI Path
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.4, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .html located before a ? (question mark) in a query string, in conjunction with a modified URI path that has a %2E sequence in place of the . (dot) character. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1578.
References (4)
Core 4
Core References
Patch mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2011/04/18/5
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2011/dsa-2366
Patch x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=696360
Patch, Vendor Advisory mailing-list
x_refsource_mlist
http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-April/000097.html
Scores
EPSS
0.0022
EPSS Percentile
44.8%
Details
CWE
CWE-79
Status
published
Products (42)
mediawiki/mediawiki
1.1.0
mediawiki/mediawiki
1.2.0
mediawiki/mediawiki
1.2.1
mediawiki/mediawiki
1.2.2
mediawiki/mediawiki
1.2.3
mediawiki/mediawiki
1.2.4
mediawiki/mediawiki
1.2.5
mediawiki/mediawiki
1.2.6
mediawiki/mediawiki
1.3
mediawiki/mediawiki
1.3.0
... and 32 more
Published
Apr 27, 2011
Tracked Since
Feb 18, 2026