CVE-2011-1587

Name of the Vulnerable Software and Affected Versions MediaWiki versions prior to 1.16.4

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via an uploaded file with a dangerous extension, such as .html, when accessed with a specific query string and modified URI path containing a %2E sequence. This issue is particularly relevant when using Internet Explorer 6 or earlier.

Recommendations For versions prior to 1.16.4, update to version 1.16.4 or later to resolve the issue. As a temporary workaround, consider restricting access to uploaded files with dangerous extensions, such as .html, until the update is applied.