CVE-2011-1578

Name of the Vulnerable Software and Affected Versions MediaWiki versions prior to 1.16.3

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension, such as .html, at the end of the query string. This is possible when using Internet Explorer 6 or earlier and a modified URI path that replaces the dot character with a %2E sequence.

Recommendations For MediaWiki versions prior to 1.16.3, update to version 1.16.3 or later to resolve the issue. As a temporary workaround, consider restricting access to uploaded files with dangerous extensions, such as .html, until the update is applied.