An arbitrary script inclusion vulnerability was discovered. The
vulnerability only allows execution of files with names ending in
".php" which are already present in the local filesystem. Only servers
running Microsoft Windows and possibly Novell Netware are affected.
Despite these mitigating factors, all users are advised to upgrade,
since there is a risk of complete server compromise. MediaWiki 1.8.0
and later is affected.
Security researcher mghack discovered a CSS injection
vulnerability. For Internet Explorer and similar browsers, this is
equivalent to an XSS vulnerability, that is to say, it allows the
compromise of wiki user accounts. For other browsers, it allows private
data such as IP addresses and browsing patterns to be sent to a malicious
external web server. It affects all versions of MediaWiki. All users are
advised to upgrade.