Published: 13/04/2018 Updated: 17/05/2018

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 790

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Parameters injection in the SyntaxHighlight extension of Mediawiki prior to 1.23.16, 1.27.3 and 1.28.2 might result in multiple vulnerabilities.

Vulnerable Product	Search on Vulmon	Subscribe to Product
mediawiki mediawiki 1.27.1
mediawiki mediawiki 1.28.0
mediawiki mediawiki
mediawiki mediawiki 1.27.2
mediawiki mediawiki 1.27.0
mediawiki mediawiki 1.28.1
debian debian linux 9.0
debian debian linux 7.0

Debian Bug report logs - #861585 mediawiki: CVE-2017-0372 (included in security release 1273 and 1282) Package: src:mediawiki; Maintainer for src:mediawiki is Kunal Mehta <legoktm@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 1 May 2017 04:54:02 UTC Severity: important Tags: fixed ...

The SyntaxHighlight extension in MediaWiki before 1281 does not properly validate the 'start' parameter before passing it to Pygments ...

A vulnerability was found in the SyntaxHighlight MediaWiki extension Using this vulnerability it is possible for an anonymous attacker to pass arbitrary options to the Pygments library By specifying specially crafted options, it is possible for an attacker to trigger a (stored) cross site scripting condition In addition, it allows the creating o ...

CWE-74 https://security-tracker.debian.org/tracker/CVE-2017-0372 https://phabricator.wikimedia.org/T158689 https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000209.html https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html https://bugs.debian.org/861585 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861585 https://nvd.nist.gov https://security.archlinux.org/CVE-2017-0372

CVE-2017-0372

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

References

Vulmon Search

About

Products

Connect