On Thu, 18 Dec 2014 07:44:59 +0100, Brian Wolff <bawolff(a)gmail.com> wrote:
== Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 ==
* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw
HTML,
which could lead to xss. Permission to edit MediaWiki namespace is
required
to exploit this.
Really? That's stretching the definition of a security bug.
(Remember that mediawiki:copyright is a raw html message, that's
included on many more pages. Not to mention the whole
MediaWiki:Common.js thing)
Indeed, it seems to me that the meaning of "security bug" has been
inflated somewhat recently.
--
Bartosz Dziewoński