CVE-2008-5250
Description
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.6.11, 1.12.x before 1.12.2, and 1.13.x before 1.13.3, when Internet Explorer is used and uploads are enabled, or an SVG scripting browser is used and SVG uploads are enabled, allows remote authenticated users to inject arbitrary web script or HTML by editing a wiki page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated wiki editors can inject arbitrary script into pages, leading to XSS in Internet Explorer or SVG-capable browsers when uploads are enabled, fixed in MediaWiki 1.6.11, 1.12.2, and 1.13.3.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in MediaWiki versions before 1.6.11, 1.12.x before 1.12.2, and 1.13.x before 1.13.3. The issue is described as a "local script injection vulnerability" that affects Internet Explorer clients on all installations with uploads enabled, and clients with SVG scripting capability (such as Firefox 1.5+) on installations with SVG uploads enabled [1]. This allows authenticated users to inject arbitrary web script or HTML by editing a wiki page.
Exploitation
An attacker must have an authenticated account on the target wiki and the ability to edit pages. When Internet Explorer is used, uploads must be enabled; when an SVG scripting-capable browser is used, SVG uploads must be enabled. The attacker crafts a malicious edit that, when rendered by a victim's browser, executes injected script. The victim must visit the crafted page to trigger the attack [1].
Impact
Successful exploitation allows an attacker to inject arbitrary web script or HTML in the context of the affected wiki, potentially stealing the victim's login session and performing actions on the wiki as that user [1]. The attack is limited to authenticated users and requires specific browser and upload configurations.
Mitigation
Mitigation is achieved by upgrading to the fixed versions: MediaWiki 1.6.11, 1.12.2, or 1.13.3, released on December 15, 2008 [1]. Users of the development trunk branch should upgrade to revision 44506 or later. No workaround is available other than disabling uploads or SVG uploads, as applicable.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:a:mediawiki:mediawiki:1.12.0:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:a:mediawiki:mediawiki:1.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.13.2:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.6.11:*:*:*:*:*:*:*
- (no CPE)range: <1.6.11, >=1.12.0 <1.12.2, >=1.13.0 <1.13.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- lists.wikimedia.org/pipermail/mediawiki-announce/2008-December/000080.htmlnvdPatchVendor Advisory
- secunia.com/advisories/33133nvdPatchVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.htmlnvd
- secunia.com/advisories/33349nvd
- www.debian.org/security/2009/dsa-1901nvd
- www.securityfocus.com/bid/32844nvd
- www.redhat.com/archives/fedora-package-announce/2008-December/msg01256.htmlnvd
- www.redhat.com/archives/fedora-package-announce/2008-December/msg01309.htmlnvd
News mentions
0No linked articles in our index yet.