Multiple vulnerabilities in MediaWiki
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2014-9487 CVE-2014-9480 CVE-2014-9479 CVE-2014-9478 CVE-2014-9477 CVE-2014-9476 CVE-2014-9475 |
| CWE-ID | CWE-20 CWE-79 CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
MediaWiki Web applications / CMS |
| Vendor | MediaWiki.org |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU38063
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2014-9487
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows remote attackers to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsMediaWiki: 1.19 - 1.24.0
CPE2.3- cpe:2.3:a:mediawiki_org:mediawiki:1.19:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.19.0:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.19.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.19.2:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.19.3:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.19.4:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.19.5:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.19.6:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.19.7:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.19.8:*:*:*:*:*:*:*
https://www.openwall.com/lists/oss-security/2015/01/03/13
https://bugzilla.redhat.com/show_bug.cgi?id=1175828
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html
https://security.gentoo.org/glsa/201502-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Cross-site scripting
EUVDB-ID: #VU40939
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2014-9480
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionVulnerability allows a remote attacker to perform XSS attacks.
The vulnerability is caused by an input validation error in the Hovercards extension for MediaWiki. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsMediaWiki: 1.20 - 1.24.0
CPE2.3- cpe:2.3:a:mediawiki_org:mediawiki:1.20:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.2:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.3:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.4:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.5:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.6:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.7:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.8:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.21:*:*:*:*:*:*:*
https://www.openwall.com/lists/oss-security/2014/12/21/2
https://www.openwall.com/lists/oss-security/2015/01/03/13
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html
https://phabricator.wikimedia.org/T69180
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Cross-site scripting
EUVDB-ID: #VU40940
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2014-9479
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionVulnerability allows a remote attacker to perform XSS attacks.
The vulnerability is caused by an input validation error in the preview in the TemplateSandbox extension for MediaWiki when processing text parameter to Special:TemplateSandbox. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsMediaWiki: 1.20 - 1.24.0
CPE2.3- cpe:2.3:a:mediawiki_org:mediawiki:1.20:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.2:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.3:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.4:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.5:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.6:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.7:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.8:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.21:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.21.1:*:*:*:*:*:*:*
https://www.openwall.com/lists/oss-security/2014/12/21/2
https://www.openwall.com/lists/oss-security/2015/01/03/13
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html
https://phabricator.wikimedia.org/T76195
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Cross-site scripting
EUVDB-ID: #VU40941
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2014-9478
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the preview in the ExpandTemplates extension for MediaWiki, when $wgRawHTML is set to true,. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsMediaWiki: 1.20 - 1.24.0
CPE2.3- cpe:2.3:a:mediawiki_org:mediawiki:1.20:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.2:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.3:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.4:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.5:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.6:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.7:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.8:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.21:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.21.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.21.2:*:*:*:*:*:*:*
https://www.openwall.com/lists/oss-security/2014/12/21/2
https://www.openwall.com/lists/oss-security/2015/01/03/13
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html
https://phabricator.wikimedia.org/T73111
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Cross-site scripting
EUVDB-ID: #VU40942
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2014-9477
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionVulnerability allows a remote attacker to perform Cross-site scripting attacks.
An input validation error exists in the Listings extension for MediaWiki when processing the (1) name or (2) url parameter. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsMediaWiki: 1.20 - 1.24.0
CPE2.3- cpe:2.3:a:mediawiki_org:mediawiki:1.20:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.2:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.3:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.4:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.5:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.6:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.7:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.8:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.21:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.21.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.21.2:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.21.3:*:*:*:*:*:*:*
https://www.openwall.com/lists/oss-security/2014/12/21/2
https://www.openwall.com/lists/oss-security/2015/01/03/13
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html
https://phabricator.wikimedia.org/T77624
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU40943
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2014-9476
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
MediaWiki 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote attackers to bypass CORS restrictions in $wgCrossSiteAJAXdomains via a domain that has a partial match to an allowed origin, as demonstrated by "http://en.wikipedia.org.evilsite.example/."
MitigationInstall update from vendor's website.
Vulnerable software versionsMediaWiki: 1.20 - 1.24.0
CPE2.3- cpe:2.3:a:mediawiki_org:mediawiki:1.20:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.2:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.3:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.4:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.5:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.6:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.7:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.8:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.21:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.21.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.21.2:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.21.3:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.21.4:*:*:*:*:*:*:*
https://www.mandriva.com/security/advisories?name=MDVSA-2015:006
https://www.openwall.com/lists/oss-security/2014/12/21/2
https://www.openwall.com/lists/oss-security/2015/01/03/13
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html
https://phabricator.wikimedia.org/T77028
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Cross-site scripting
EUVDB-ID: #VU40944
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2014-9475
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionVulnerability allows a remote attacker to perform XSS attacks.
The vulnerability is caused by an input validation error in thumb.php in MediaWiki before 1.19.23, 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsMediaWiki: 1.20 - 1.24.0
CPE2.3- cpe:2.3:a:mediawiki_org:mediawiki:1.20:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.2:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.3:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.4:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.5:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.6:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.7:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.20.8:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.21:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.21.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.21.2:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.21.3:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.21.4:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki_org:mediawiki:1.21.5:*:*:*:*:*:*:*
https://www.debian.org/security/2014/dsa-3110
https://www.mandriva.com/security/advisories?name=MDVSA-2015:006
https://www.openwall.com/lists/oss-security/2014/12/21/2
https://www.openwall.com/lists/oss-security/2015/01/03/13
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
