Published: 16/01/2015 Updated: 17/09/2015

CVSS v2 Base Score: 3.5 | Impact Score: 2.9 | Exploitability Score: 6.8

VMScore: 312

Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N

Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki prior to 1.19.23, 1.2x prior to 1.22.15, 1.23.x prior to 1.23.8, and 1.24.x prior to 1.24.1 allows remote authenticated users to inject arbitrary web script or HTML via a wikitext message.

Vulnerable Product	Search on Vulmon	Subscribe to Product
mediawiki mediawiki
mediawiki mediawiki 1.20
mediawiki mediawiki 1.21.2
mediawiki mediawiki 1.21.3
mediawiki mediawiki 1.21.4
mediawiki mediawiki 1.21.5
mediawiki mediawiki 1.21.6
mediawiki mediawiki 1.22.4
mediawiki mediawiki 1.22.5
mediawiki mediawiki 1.22.6
mediawiki mediawiki 1.22.7
mediawiki mediawiki 1.20.5
mediawiki mediawiki 1.20.6
mediawiki mediawiki 1.20.7
mediawiki mediawiki 1.20.8
mediawiki mediawiki 1.22.1
mediawiki mediawiki 1.22.10
mediawiki mediawiki 1.22.11
mediawiki mediawiki 1.22.12
mediawiki mediawiki 1.23.3
mediawiki mediawiki 1.23.4
mediawiki mediawiki 1.23.5
mediawiki mediawiki 1.23.6
mediawiki mediawiki 1.20.1
mediawiki mediawiki 1.20.3
mediawiki mediawiki 1.21.1
mediawiki mediawiki 1.21.11
mediawiki mediawiki 1.21.8
mediawiki mediawiki 1.22.0
mediawiki mediawiki 1.22.13
mediawiki mediawiki 1.22.2
mediawiki mediawiki 1.22.9
mediawiki mediawiki 1.23.1
mediawiki mediawiki 1.24.0
mediawiki mediawiki 1.20.2
mediawiki mediawiki 1.20.4
mediawiki mediawiki 1.21
mediawiki mediawiki 1.21.10
mediawiki mediawiki 1.21.7
mediawiki mediawiki 1.21.9
mediawiki mediawiki 1.22.14
mediawiki mediawiki 1.22.3
mediawiki mediawiki 1.22.8
mediawiki mediawiki 1.23.0
mediawiki mediawiki 1.23.2
mediawiki mediawiki 1.23.7

Debian Bug report logs - #773654 mediawiki: CVE-2014-9475: thumbphp outputs wikitext message as raw HTML Package: mediawiki; Maintainer for mediawiki is Kunal Mehta <legoktm@debianorg>; Source for mediawiki is src:mediawiki (PTS, buildd, popcon) Reported by: Sebastien Delafond <seb@debianorg> Date: Sun, 21 Dec 201 ...

A flaw was discovered in mediawiki, a wiki engine: thumbphp outputs wikitext messages as raw HTML, potentially leading to cross-site scripting (XSS) For the stable distribution (wheezy), this problem has been fixed in version 11920+dfsg-0+deb7u3; this version additionally fixes a regression introduced in the previous release, DSA-3100-1 For th ...

CWE-79 http://www.openwall.com/lists/oss-security/2014/12/21/2 https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html http://www.debian.org/security/2014/dsa-3110 http://www.openwall.com/lists/oss-security/2015/01/03/13 http://www.mandriva.com/security/advisories?name=MDVSA-2015:006 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773654 https://nvd.nist.gov https://www.debian.org/security/./dsa-3110

CVE-2014-9475

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect