CVE-2015-2931Cross-site Scripting in Mediawiki

CWE-79Cross-site Scripting4 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.3%
top 48.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
MediawikiDebian Mediawiki
Timeline
PublishedApr 13
Latest updateMay 17

Description

Incomplete blacklist vulnerability in includes/upload/UploadBase.php in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via an application/xml MIME type for a nested SVG with a data: URI.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

debiandebian/mediawiki< mediawiki 1:1.19.20+dfsg-2.3 (bookworm)
Debianmediawiki/mediawiki< 1:1.19.20+dfsg-2.3+3
NVDmediawiki/mediawiki1.19.23+48

Patches

Patch: lists.wikimedia.orgPatch: lists.wikimedia.org

🔴Vulnerability Details

2
GHSA
GHSA-m3mr-7w8m-ffxc: Incomplete blacklist vulnerability in includes/upload/UploadBase2022-05-17
OSV
CVE-2015-2931: Incomplete blacklist vulnerability in includes/upload/UploadBase2015-04-13

📋Vendor Advisories

1
Debian
CVE-2015-2931: mediawiki - Incomplete blacklist vulnerability in includes/upload/UploadBase.php in MediaWik...2015
CVE-2015-2931 — Cross-site Scripting in Mediawiki | cvebase