CVE-2014-2242Cross-site Scripting in Mediawiki

CWE-79Cross-site Scripting6 documents5 sources
Severity
4.3MEDIUMNVD
EPSS
0.5%
top 34.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
MediawikiDebian Mediawiki
Timeline
PublishedMar 2
Latest updateMay 17

Description

includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 does not prevent use of invalid namespaces in SVG files, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an SVG upload, as demonstrated by use of a W3C XHTML namespace in conjunction with an IFRAME element.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

debiandebian/mediawiki< mediawiki 1:1.19.12+dfsg-1 (bookworm)
Debianmediawiki/mediawiki< 1:1.19.12+dfsg-1+3
NVDmediawiki/mediawiki1.19.11+72

Patches

Patch: lists.wikimedia.orgPatch: lists.wikimedia.org

🔴Vulnerability Details

2
GHSA
GHSA-xvhv-fm6p-g8q4: includes/upload/UploadBase2022-05-17
OSV
CVE-2014-2242: includes/upload/UploadBase2014-03-02

📋Vendor Advisories

1
Debian
CVE-2014-2242: mediawiki - includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x be...2014

💬Community

2
Bugzilla
CVE-2014-2242 mediawiki119: mediawiki: cross-site scripting flaw when handling SVG images [epel-5]2014-04-28
Bugzilla
CVE-2014-2242 mediawiki: cross-site scripting flaw when handling SVG images2014-02-28
CVE-2014-2242 — Cross-site Scripting in Mediawiki | cvebase