CVE-2015-6734 in MediaWiki
Summary
by MITRE
Cross-site scripting (XSS) vulnerability in contrib/cssgen.php in the GeSHi, as used in the SyntaxHighlight_GeSHi extension and MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/14/2022
The CVE-2015-6734 vulnerability represents a critical cross-site scripting flaw within the GeSHi library implementation in MediaWiki's SyntaxHighlight_GeSHi extension. This vulnerability exists in multiple versions of MediaWiki prior to the mentioned security patches, specifically affecting versions before 1.23.10, 1.24.3, and 1.25.2 respectively. The flaw resides in the contrib/cssgen.php file which processes user-supplied input without adequate sanitization or validation mechanisms. This creates a persistent security risk where malicious actors can exploit the vulnerability to inject arbitrary web scripts or HTML content into the affected system.
The technical nature of this vulnerability stems from improper input validation and output encoding practices within the GeSHi code generation component. When users submit code snippets or syntax-highlighted content through MediaWiki's editing interface, the cssgen.php script processes these inputs to generate CSS styles for code highlighting. However, the script fails to properly sanitize or escape user-provided data before incorporating it into dynamically generated CSS output. This allows attackers to inject malicious JavaScript code or HTML elements that execute within the context of other users' browsers when they view the affected pages.
From an operational impact perspective, this vulnerability enables attackers to perform various malicious activities including session hijacking, credential theft, defacement of web content, and redirection to malicious sites. The attack surface is particularly concerning as it affects widely deployed MediaWiki installations used by organizations, educational institutions, and content management systems. Successful exploitation could lead to unauthorized access to user accounts, data exfiltration, and compromise of the entire wiki platform. The vulnerability's persistence across multiple MediaWiki version lines indicates a fundamental flaw in the input handling logic that required coordinated patching across different release branches.
The vulnerability maps to CWE-79 (Cross-site Scripting) and aligns with ATT&CK technique T1059.007 (Command and Scripting Interpreter: JavaScript) within the execution phase of the attack lifecycle. Organizations using affected MediaWiki versions should immediately implement security patches to address this vulnerability. Mitigation strategies include upgrading to patched versions of MediaWiki, implementing proper input validation at multiple layers, and deploying web application firewalls with XSS detection capabilities. Additionally, administrators should conduct thorough security audits of their wiki installations and monitor for any suspicious user activity or unauthorized code injections that may indicate exploitation attempts. The vulnerability underscores the critical importance of proper input sanitization and output encoding practices in web applications, particularly those handling user-generated content in rich text environments.