CVE-2014-9476

Name of the Vulnerable Software and Affected Versions MediaWiki versions 1.2x through 1.22.14 MediaWiki versions 1.23.x through 1.23.7 MediaWiki versions 1.24.x through 1.24.0

Description The issue allows remote attackers to bypass CORS restrictions in $wgCrossSiteAJAXdomains via a domain that has a partial match to an allowed origin. This can be demonstrated by using a domain such as "http://en.wikipedia.org.evilsite.example/."

Recommendations For MediaWiki versions 1.2x through 1.22.14, update to version 1.22.15 or later. For MediaWiki versions 1.23.x through 1.23.7, update to version 1.23.8 or later. For MediaWiki versions 1.24.x through 1.24.0, update to version 1.24.1 or later.