Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-9476

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2014-9476
Last Modified 17 Sep 2015 02:14:52
Published 16 Jan 2015 11:59:10
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2014-9476

Summary

MediaWiki 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote attackers to bypass CORS restrictions in $wgCrossSiteAJAXdomains via a domain that has a partial match to an allowed origin, as demonstrated by "http://en.wikipedia.org.evilsite.example/."

Vulnerable Systems

Application

  • Mediawiki 1.19.22

  • Mediawiki 1.20

  • Mediawiki 1.20.1

  • Mediawiki 1.20.2

  • Mediawiki 1.20.3

  • Mediawiki 1.20.4

  • Mediawiki 1.20.5

  • Mediawiki 1.20.6

  • Mediawiki 1.20.7

  • Mediawiki 1.20.8

  • Mediawiki 1.21

  • Mediawiki 1.21.1

  • Mediawiki 1.21.10

  • Mediawiki 1.21.11

  • Mediawiki 1.21.2

  • Mediawiki 1.21.3

  • Mediawiki 1.21.4

  • Mediawiki 1.21.5

  • Mediawiki 1.21.6

  • Mediawiki 1.21.7

  • Mediawiki 1.21.8

  • Mediawiki 1.21.9

  • Mediawiki 1.22.0

  • Mediawiki 1.22.1

  • Mediawiki 1.22.10

  • Mediawiki 1.22.11

  • Mediawiki 1.22.12

  • Mediawiki 1.22.13

  • Mediawiki 1.22.14

  • Mediawiki 1.22.2

  • Mediawiki 1.22.3

  • Mediawiki 1.22.4

  • Mediawiki 1.22.5

  • Mediawiki 1.22.6

  • Mediawiki 1.22.7

  • Mediawiki 1.22.8

  • Mediawiki 1.22.9

  • Mediawiki 1.23.0

  • Mediawiki 1.23.1

  • Mediawiki 1.23.2

  • Mediawiki 1.23.3

  • Mediawiki 1.23.4

  • Mediawiki 1.23.5

  • Mediawiki 1.23.6

  • Mediawiki 1.23.7

  • Mediawiki 1.24.0


References

CONFIRM - https://phabricator.wikimedia.org/T77028

MLIST - [MediaWiki-announce] 20141217 MediaWiki Security and Maintenance Releases: 1.24.1, 1.23.8, 1.22.15 and 1.19.23

MLIST - [oss-security] 20150103 Re: CVE Request: Mediawiki security releases 1.24.1, 1.23.8, 1.22.15 and 1.19.23

MLIST - [oss-security] 20141221 CVE Request: Mediawiki security releases 1.24.1, 1.23.8, 1.22.15 and 1.19.23

MANDRIVA - MDVSA-2015:006


Last Updated: 27 May 2016 11:07:34