MediaWiki 1.19.18/1.19.19/1.22.11/1.23.3/1.23.4 cross site scripting
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.1 | $0-$5k | 0.00 |
Summary
A vulnerability was found in MediaWiki 1.19.18/1.19.19/1.22.11/1.23.3/1.23.4. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. Executing a manipulation can lead to cross site scripting. This vulnerability appears as CVE-2014-7295. The attack may be performed from remote. In addition, an exploit is available. It is recommended to upgrade the affected component.
Details
A vulnerability has been found in MediaWiki 1.19.18/1.19.19/1.22.11/1.23.3/1.23.4 (Content Management System) and classified as problematic. This vulnerability affects some unknown processing. The manipulation with an unknown input leads to a cross site scripting vulnerability. The CWE definition for the vulnerability is CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. As an impact it is known to affect integrity.
The weakness was presented 10/02/2014 as MediaWiki Security and Maintenance Releases: 1.19.20, 1.22.12 and 1.23.5, Bug 70672 as confirmed release notes (Mailing List). The advisory is available at lists.wikimedia.org. This vulnerability was named CVE-2014-7295 since 10/02/2014. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Successful exploitation requires user interaction by the victim. Technical details are unknown but an exploit is available. This vulnerability is assigned to T1059.007 by the MITRE ATT&CK project.
It is declared as highly functional. The vulnerability scanner Nessus provides a plugin with the ID 78103 (Fedora 21 : mediawiki-1.23.5-1.fc21 (2014-12155)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Fedora Local Security Checks.
Upgrading to version 1.19.20, 1.22.12 or 1.23.5 eliminates this vulnerability. The upgrade is hosted for download at releases.wikimedia.org. Applying a patch is able to eliminate this problem. The bugfix is ready for download at releases.wikimedia.org. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (96838), Tenable (78103), SecurityFocus (BID 70238†), Secunia (SA61752†) and Vulnerability Center (SBV-46418†). Additional details are provided at bugzilla.wikimedia.org. Once again VulDB remains the best source for vulnerability data.
Product
Type
Name
Version
License
Website
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.3VulDB Meta Temp Score: 4.1
VulDB Base Score: 4.3
VulDB Temp Score: 4.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Cross site scriptingCWE: CWE-79 / CWE-94 / CWE-74
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Highly functional
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 78103
Nessus Name: Fedora 21 : mediawiki-1.23.5-1.fc21 (2014-12155)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍
OpenVAS ID: 703046
OpenVAS Name: Debian Security Advisory DSA 3046-1 (mediawiki - security update)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Upgrade: MediaWiki 1.19.20/1.22.12/1.23.5
Patch: releases.wikimedia.org
Timeline
09/10/2014 🔍10/02/2014 🔍
10/02/2014 🔍
10/02/2014 🔍
10/07/2014 🔍
10/09/2014 🔍
10/09/2014 🔍
10/09/2014 🔍
10/12/2014 🔍
02/21/2022 🔍
Sources
Product: mediawiki.orgAdvisory: MediaWiki Security and Maintenance Releases: 1.19.20, 1.22.12 and 1.23.5, Bug 70672
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2014-7295 (🔍)
GCVE (CVE): GCVE-0-2014-7295
GCVE (VulDB): GCVE-100-67738
OVAL: 🔍
X-Force: 96838 - MediaWiki css module cross-site scripting, Medium Risk
SecurityFocus: 70238
Secunia: 61752 - Debian update for mediawiki, Less Critical
Vulnerability Center: 46418 - MediaWiki Remote Cross-Site Scripting via Crafted CSS, Low
scip Labs: https://www.scip.ch/en/?labs.20161013
Misc.: 🔍
Entry
Created: 10/09/2014 11:06Updated: 02/21/2022 10:57
Changes: 10/09/2014 11:06 (77), 06/08/2017 09:17 (3), 02/21/2022 10:51 (3), 02/21/2022 10:57 (1)
Complete: 🔍
Cache ID: 216:3DC:103
No comments yet. Languages: en.
Please log in to comment.