CVE-2014-2242

Name of the Vulnerable Software and Affected Versions MediaWiki versions prior to 1.19.12 MediaWiki versions 1.20.x MediaWiki versions 1.21.x prior to 1.21.6 MediaWiki versions 1.22.x prior to 1.22.3

Description The issue allows remote attackers to conduct cross-site scripting (XSS) attacks via an SVG upload. This is demonstrated by the use of a W3C XHTML namespace in conjunction with an IFRAME element, which can be used to inject malicious code.

Recommendations For MediaWiki versions prior to 1.19.12, update to version 1.19.12 or later. For MediaWiki versions 1.20.x, update to a version outside of the 1.20.x range, such as 1.19.12 or 1.21.6 or later. For MediaWiki versions 1.21.x prior to 1.21.6, update to version 1.21.6 or later. For MediaWiki versions 1.22.x prior to 1.22.3, update to version 1.22.3 or later.