CVE-2014-9276

Name of the Vulnerable Software and Affected Versions MediaWiki versions 1.20.x through 1.22.x before 1.22.14 MediaWiki versions 1.23.x before 1.23.7 MediaWiki before 1.19.22

Description A cross-site request forgery (CSRF) issue exists in the Special:ExpandedTemplates page of MediaWiki when $wgRawHTML is set to true. This allows remote attackers to hijack the authentication of users with edit permissions for requests that involve cross-site scripting (XSS) attacks via the wpInput parameter, which is not properly handled in the preview.

Recommendations For MediaWiki versions 1.20.x through 1.22.x before 1.22.14, update to version 1.22.14 or later. For MediaWiki versions 1.23.x before 1.23.7, update to version 1.23.7 or later. For MediaWiki before 1.19.22, update to version 1.19.22 or later. As a temporary workaround, consider setting $wgRawHTML to false to minimize the risk of exploitation.