CVE-2014-9478

Name of the Vulnerable Software and Affected Versions MediaWiki ExpandTemplates extension (affected versions not specified)

Description A cross-site scripting (XSS) issue exists in the preview functionality of the ExpandTemplates extension for MediaWiki. This occurs when the $wgRawHTML setting is enabled, allowing remote attackers to inject arbitrary web script or HTML through the wpInput parameter to the "Special:ExpandTemplates" page.

Recommendations For the affected version of the MediaWiki ExpandTemplates extension, consider disabling the $wgRawHTML setting to prevent exploitation until a patch is available. As a temporary workaround, restrict access to the Special:ExpandTemplates page to minimize the risk of exploitation. Avoid using the wpInput parameter in the affected page until the issue is resolved.