CVE-2014-5241

Name of the Vulnerable Software and Affected Versions MediaWiki versions prior to 1.19.18 MediaWiki versions 1.20.x through 1.22.x before 1.22.9 MediaWiki versions 1.23.x before 1.23.2

Description The issue concerns the JSONP endpoint in MediaWiki, which does not properly restrict certain long callback values and the initial bytes of a JSONP response. This allows remote attackers to conduct cross-site request forgery (CSRF) attacks and obtain sensitive information via a crafted OBJECT element with SWF content consistent with a restricted character set. The API endpoint in question is "includes/api/ApiFormatJson.php".

Recommendations For MediaWiki versions prior to 1.19.18, update to version 1.19.18 or later. For MediaWiki versions 1.20.x through 1.22.x before 1.22.9, update to version 1.22.9 or later. For MediaWiki versions 1.23.x before 1.23.2, update to version 1.23.2 or later.