CVE-2014-9276 — Cross-Site Request Forgery in Mediawiki
Severity
5.1MEDIUMNVD
EPSS
0.1%
top 70.06%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJan 4
Latest updateMay 17
Description
Cross-site request forgery (CSRF) vulnerability in the Special:ExpandedTemplates page in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgRawHTML is set to true, allows remote attackers to hijack the authentication of users with edit permissions for requests that cross-site scripting (XSS) attacks via the wpInput parameter, which is not properly handled in the preview.
CVSS vector
AV:N/AC:H/C:P/I:P/A:PExploitability: 4.9 | Impact: 6.4
Affected Packages2 packages
Patches
🔴Vulnerability Details
1GHSA▶
GHSA-4rrq-7p7h-pfq3: Cross-site request forgery (CSRF) vulnerability in the Special:ExpandedTemplates page in MediaWiki before 1↗2022-05-17
📋Vendor Advisories
1Debian▶
CVE-2014-9276: mediawiki - Cross-site request forgery (CSRF) vulnerability in the Special:ExpandedTemplates...↗2014
💬Community
1Bugzilla▶
CVE-2014-9507 CVE-2014-9277 mediawiki: security issues fixed in the 1.23.7, 1.22.14, and 1.19.22 releases↗2014-12-03