PT-2014-4578 · Wikimedia+1 · Mediawiki+1
Published
2014-03-02
·
Updated
2016-04-04
·
CVE-2014-2242
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
MediaWiki versions prior to 1.19.12
MediaWiki versions 1.20.x
MediaWiki versions 1.21.x prior to 1.21.6
MediaWiki versions 1.22.x prior to 1.22.3
Description
The issue allows remote attackers to conduct cross-site scripting (XSS) attacks via an SVG upload. This is demonstrated by the use of a W3C XHTML namespace in conjunction with an IFRAME element, which can be used to inject malicious code.
Recommendations
For MediaWiki versions prior to 1.19.12, update to version 1.19.12 or later.
For MediaWiki versions 1.20.x, update to a version outside of the 1.20.x range, such as 1.19.12 or 1.21.6 or later.
For MediaWiki versions 1.21.x prior to 1.21.6, update to version 1.21.6 or later.
For MediaWiki versions 1.22.x prior to 1.22.3, update to version 1.22.3 or later.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Mediawiki