Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2014-1610Improper Input Validation in Mediawiki

CWE-20Improper Input Validation12 documents8 sources
Severity
6.0MEDIUMNVD
EPSS
48.0%
top 2.26%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
MediawikiDebian Mediawiki
Timeline
PublishedJan 30
Latest updateMay 17

Description

MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/media/DjVu.php; (2) the w parameter (aka width field) to thumb.php, which is not properly handled by includes/media/PdfHandler_body.php; and possibly unspecified vectors in (3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 6.8 | Impact: 6.4

Affected Packages3 packages

debiandebian/mediawiki< mediawiki 1:1.19.11+dfsg-1 (bookworm)
Debianmediawiki/mediawiki< 1:1.19.11+dfsg-1+3
NVDmediawiki/mediawiki17 versions+16

🔴Vulnerability Details

2
GHSA
GHSA-88m3-jgcp-453j: MediaWiki 12022-05-17
OSV
CVE-2014-1610: MediaWiki 12014-01-30

💥Exploits & PoCs

3
Exploit-DB
MediaWiki - 'Thumb.php' Remote Command Execution (Metasploit)2014-02-19
Exploit-DB
MediaWiki 1.22.1 PdfHandler - Remote Code Execution2014-02-01
Metasploit
MediaWiki Thumb.php Remote Command Execution

🔍Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS MediaWiki thumb.php RCE2014-02-22

📋Vendor Advisories

1
Debian
CVE-2014-1610: mediawiki - MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11,...2014

💬Community

4
Bugzilla
CVE-2014-1610 mediawiki: remote code execution via uploaded DjVu or PDF files2014-01-28
Bugzilla
CVE-2014-1610 mediawiki: remote code execution via uploaded DjVu or PDF files [fedora-all]2014-01-28
Bugzilla
CVE-2014-1610 mediawiki119: mediawiki: remote code execution via uploaded DjVu or PDF files [epel-6]2014-01-28
Bugzilla
CVE-2014-1610 mediawiki: remote code execution via uploaded DjVu or PDF files [epel-5]2014-01-28
CVE-2014-1610 — Improper Input Validation in Mediawiki | cvebase