VWE-2011-0100 Printable Version

Common Name	Target Injection Vulnerability
VWE-ID	VWE-2011-0100
Related Report	None
Severity	HIGH
Exploit Difficulty	EASY
Platform	Affects all platforms supported by the vulnerable versions.
Description	HTML/Javascript injection. A malicious user can include arbitrary HTML in the URL parameter for target selection on Special:WhatLinksHere. If the parameter does not point to an existing wiki page, the target text will be displayed on the page with various HTML entities unencoded. Does not affect Lite versions.
Discovered	June 14, 2011
Resolved	June 23, 2011
Patches Available	3.0.12 3.0.11 Patch Level 1 3.0.10 Patch Level 1 3.0.9 Patch Level 1 3.0.8 Patch Level 1 3.0.7 Patch Level 1 3.0.6 Patch Level 1 3.0.5 Patch Level 1 3.0.4 Patch Level 1 3.0.3 Patch Level 1 3.0.2 Patch Level 1 3.0.1 Patch Level 1
Workaround	In Settings > Options > VaultWiki: Server Settings, disable "Enable Link Caching."

The versions listed below are known to be affected by this issue. If you are using one of those versions, you should update to a newer release that has no known vulnerabilities.