Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-9276

Overview

Vulnerability Score 5.1 5.1
CVE Id CVE-2014-9276
Last Modified 06 Jan 2015 09:16:03
Published 04 Jan 2015 04:59:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity HIGH
Authentication NONE

CVE-2014-9276

Summary

Cross-site request forgery (CSRF) vulnerability in the Special:ExpandedTemplates page in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgRawHTML is set to true, allows remote attackers to hijack the authentication of users with edit permissions for requests that cross-site scripting (XSS) attacks via the wpInput parameter, which is not properly handled in the preview.

Vulnerable Systems

Application

  • Mediawiki 1.19.21

  • Mediawiki 1.20

  • Mediawiki 1.20.1

  • Mediawiki 1.20.2

  • Mediawiki 1.20.3

  • Mediawiki 1.20.4

  • Mediawiki 1.20.5

  • Mediawiki 1.20.6

  • Mediawiki 1.20.7

  • Mediawiki 1.20.8

  • Mediawiki 1.21

  • Mediawiki 1.21.1

  • Mediawiki 1.21.10

  • Mediawiki 1.21.11

  • Mediawiki 1.21.2

  • Mediawiki 1.21.3

  • Mediawiki 1.21.4

  • Mediawiki 1.21.5

  • Mediawiki 1.21.6

  • Mediawiki 1.21.7

  • Mediawiki 1.21.8

  • Mediawiki 1.21.9

  • Mediawiki 1.22.0

  • Mediawiki 1.22.1

  • Mediawiki 1.22.10

  • Mediawiki 1.22.11

  • Mediawiki 1.22.12

  • Mediawiki 1.22.13

  • Mediawiki 1.22.2

  • Mediawiki 1.22.3

  • Mediawiki 1.22.4

  • Mediawiki 1.22.5

  • Mediawiki 1.22.6

  • Mediawiki 1.22.7

  • Mediawiki 1.22.8

  • Mediawiki 1.23.0

  • Mediawiki 1.23.1

  • Mediawiki 1.23.2

  • Mediawiki 1.23.3

  • Mediawiki 1.23.4

  • Mediawiki 1.23.5

  • Mediawiki 1.23.6


References

CONFIRM - https://phabricator.wikimedia.org/T73111

MLIST - [MediaWiki-announce] 20141127 MediaWiki Security and Maintenance Releases: 1.23.7, 1.22.14 and 1.19.22

MLIST - [oss-security] 20141204 Re: MediaWiki security release - 1.23.7

MLIST - [oss-security] 20141203 MediaWiki security release - 1.23.7

SECTRACK - 1031301


Last Updated: 27 May 2016 11:07:26