CVE-2015-2934Cross-site Scripting in Mediawiki

CWE-79Cross-site Scripting4 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.3%
top 48.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
MediawikiDebian Mediawiki
Timeline
PublishedApr 13
Latest updateMay 17

Description

MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 does not properly handle when the Zend interpreter xml_parse function does not expand entities, which allows remote attackers to inject arbitrary web script or HTML via a crafted SVG file.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

debiandebian/mediawiki< mediawiki 1:1.19.20+dfsg-2.3 (bookworm)
Debianmediawiki/mediawiki< 1:1.19.20+dfsg-2.3+3
NVDmediawiki/mediawiki1.19.23+48

Patches

Patch: lists.wikimedia.orgPatch: lists.wikimedia.org

🔴Vulnerability Details

2
GHSA
GHSA-xg52-pgjm-f8fw: MediaWiki before 12022-05-17
OSV
CVE-2015-2934: MediaWiki before 12015-04-13

📋Vendor Advisories

1
Debian
CVE-2015-2934: mediawiki - MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 does not ...2015
CVE-2015-2934 — Cross-site Scripting in Mediawiki | cvebase