Executive Summary
Summary | |
---|---|
Title | MediaWiki: Multiple vulnerabilities |
Informations | |||
---|---|---|---|
Name | GLSA-201502-04 | First vendor Publication | 2015-02-07 |
Vendor | Gentoo | Last vendor Modification | 2015-02-07 |
Severity (Vendor) | High | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Synopsis Multiple vulnerabilities have been found in MediaWiki, the worst of which may allow remote attackers to execute arbitrary code. Background Description Impact Workaround Resolution All MediaWiki 1.22 users should upgrade to the latest version: All MediaWiki 1.19 users should upgrade to the latest version: References https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-June/000155.html Availability http://security.gentoo.org/glsa/glsa-201502-04.xml |
Original Source
Url : http://security.gentoo.org/glsa/glsa-201502-04.xml |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
56 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
12 % | CWE-20 | Improper Input Validation |
8 % | CWE-352 | Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25) |
4 % | CWE-611 | Information Leak Through XML External Entity File Disclosure |
4 % | CWE-362 | Race Condition |
4 % | CWE-287 | Improper Authentication |
4 % | CWE-264 | Permissions, Privileges, and Access Controls |
4 % | CWE-200 | Information Exposure |
4 % | CWE-77 | Improper Sanitization of Special Elements used in a Command ('Command Injection') |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:24466 | |||
Oval ID: | oval:org.mitre.oval:def:24466 | ||
Title: | DSA-2891-1 mediawiki - security update | ||
Description: | Several vulnerabilities were discovered in MediaWiki, a wiki engine. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2891-1 CVE-2013-2031 CVE-2013-4567 CVE-2013-4568 CVE-2013-4572 CVE-2013-6452 CVE-2013-6453 CVE-2013-6454 CVE-2013-6472 CVE-2014-1610 CVE-2014-2665 | Version: | 5 |
Platform(s): | Debian GNU/Linux 7 Debian GNU/kFreeBSD 7 | Product(s): | mediawiki mediawiki-extensions |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26197 | |||
Oval ID: | oval:org.mitre.oval:def:26197 | ||
Title: | DSA-3011-1 mediawiki - security update | ||
Description: | It was discovered that MediaWiki, a website engine for collaborative work, is vulnerable to JSONP injection in Flash (<a href="https://security-tracker.debian.org/tracker/CVE-2014-5241">CVE-2014-5241</a>) and clickjacking between OutputPage and ParserOutput (<a href="https://security-tracker.debian.org/tracker/CVE-2014-5243">CVE-2014-5243</a>). The vulnerabilities are addressed by upgrading MediaWiki to the new upstream version 1.19.18, which includes additional changes. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-3011-1 CVE-2014-5241 CVE-2014-5243 | Version: | 3 |
Platform(s): | Debian GNU/Linux 7.0 Debian GNU/kFreeBSD 7.0 | Product(s): | mediawiki |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26719 | |||
Oval ID: | oval:org.mitre.oval:def:26719 | ||
Title: | DSA-3046-1 mediawiki - security update | ||
Description: | It was reported that MediaWiki, a website engine for collaborative work, allowed to load user-created CSS on pages where user-created JavaScript is not allowed. A wiki user could be tricked into performing actions by manipulating the interface from CSS, or JavaScript code being executed from CSS, on security-wise sensitive pages like Special:Preferences and Special:UserLogin. This update removes the separation of CSS and JavaScript module allowance. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-3046-1 CVE-2014-7295 | Version: | 3 |
Platform(s): | Debian GNU/Linux 7.0 Debian GNU/kFreeBSD 7.0 | Product(s): | mediawiki |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26938 | |||
Oval ID: | oval:org.mitre.oval:def:26938 | ||
Title: | DSA-3036-1 mediawiki - security update | ||
Description: | It was discovered that MediaWiki, a wiki engine, did not sufficiently filter CSS in uploaded SVG files, allowing for cross site scripting. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-3036-1 CVE-2014-7199 | Version: | 3 |
Platform(s): | Debian GNU/Linux 7.0 Debian GNU/kFreeBSD 7.0 | Product(s): | mediawiki |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:28465 | |||
Oval ID: | oval:org.mitre.oval:def:28465 | ||
Title: | DSA-3100-1 -- mediawiki security update | ||
Description: | A flaw was discovered in mediawiki, a wiki engine: cross-domain-policy mangling allows an article editor to inject code into API consumers that deserialize PHP representations of the page from the API. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-3100-1 CVE-2014-9277 | Version: | 3 |
Platform(s): | Debian GNU/Linux 7.0 Debian GNU/kFreeBSD 7.0 | Product(s): | mediawiki |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:29025 | |||
Oval ID: | oval:org.mitre.oval:def:29025 | ||
Title: | DSA-2891-2 -- mediawiki, mediawiki-extensions -- security update | ||
Description: | Several vulnerabilities were discovered in MediaWiki, a wiki engine. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2891-2 CVE-2013-2031 CVE-2013-2032 CVE-2013-4567 CVE-2013-4568 CVE-2013-4572 CVE-2013-6452 CVE-2013-6453 CVE-2013-6454 CVE-2013-6472 CVE-2014-1610 CVE-2014-2665 | Version: | 3 |
Platform(s): | Debian GNU/Linux 7.0 Debian GNU/kFreeBSD 7.0 | Product(s): | mediawiki mediawiki-extensions |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:29092 | |||
Oval ID: | oval:org.mitre.oval:def:29092 | ||
Title: | DSA-2891-3 -- mediawiki, mediawiki-extensions -- security update | ||
Description: | Several vulnerabilities were discovered in MediaWiki, a wiki engine. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2891-3 CVE-2013-2031 CVE-2013-2032 CVE-2013-4567 CVE-2013-4568 CVE-2013-4572 CVE-2013-6452 CVE-2013-6453 CVE-2013-6454 CVE-2013-6472 CVE-2014-1610 CVE-2014-2665 | Version: | 3 |
Platform(s): | Debian GNU/Linux 7.0 Debian GNU/kFreeBSD 7.0 | Product(s): | mediawiki mediawiki-extensions |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
ExploitDB Exploits
id | Description |
---|---|
2014-02-19 | MediaWiki Thumb.php Remote Command Execution |
2014-02-01 | MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610) |
Snort® IPS/IDS
Date | Description |
---|---|
2014-03-06 | Mediawiki DjVu and PDF handling code execution attempt RuleID : 29582 - Revision : 4 - Type : SERVER-OTHER |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-06-12 | Name : The remote web server contains an application that is affected by multiple vu... File : mediawiki_1_24_2.nasl - Type : ACT_GATHER_INFO |
2015-02-09 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201502-04.nasl - Type : ACT_GATHER_INFO |
2014-12-26 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3110.nasl - Type : ACT_GATHER_INFO |
2014-12-19 | Name : The remote web server contains an application that is affected by multiple vu... File : mediawiki_1_23_7.nasl - Type : ACT_GATHER_INFO |
2014-12-15 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-241.nasl - Type : ACT_GATHER_INFO |
2014-12-15 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3100.nasl - Type : ACT_GATHER_INFO |
2014-10-22 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-198.nasl - Type : ACT_GATHER_INFO |
2014-10-14 | Name : The remote Fedora host is missing a security update. File : fedora_2014-12262.nasl - Type : ACT_GATHER_INFO |
2014-10-14 | Name : The remote Fedora host is missing a security update. File : fedora_2014-12263.nasl - Type : ACT_GATHER_INFO |
2014-10-09 | Name : The remote web server contains an application that is affected by a cross-sit... File : mediawiki_1_23_5.nasl - Type : ACT_GATHER_INFO |
2014-10-09 | Name : The remote Fedora host is missing a security update. File : fedora_2014-12155.nasl - Type : ACT_GATHER_INFO |
2014-10-06 | Name : The remote web server contains an application that is affected by a cross-sit... File : mediawiki_1_23_4.nasl - Type : ACT_GATHER_INFO |
2014-10-06 | Name : The remote Fedora host is missing a security update. File : fedora_2014-11727.nasl - Type : ACT_GATHER_INFO |
2014-10-06 | Name : The remote Fedora host is missing a security update. File : fedora_2014-11582.nasl - Type : ACT_GATHER_INFO |
2014-10-06 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3046.nasl - Type : ACT_GATHER_INFO |
2014-10-01 | Name : The remote Fedora host is missing a security update. File : fedora_2014-11717.nasl - Type : ACT_GATHER_INFO |
2014-09-29 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3036.nasl - Type : ACT_GATHER_INFO |
2014-08-27 | Name : The remote Fedora host is missing a security update. File : fedora_2014-9548.nasl - Type : ACT_GATHER_INFO |
2014-08-27 | Name : The remote Fedora host is missing a security update. File : fedora_2014-9583.nasl - Type : ACT_GATHER_INFO |
2014-08-25 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3011.nasl - Type : ACT_GATHER_INFO |
2014-08-13 | Name : The remote web server contains an application that is affected by multiple vu... File : mediawiki_1_23_2.nasl - Type : ACT_GATHER_INFO |
2014-05-09 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-083.nasl - Type : ACT_GATHER_INFO |
2014-05-06 | Name : The remote Fedora host is missing a security update. File : fedora_2014-5691.nasl - Type : ACT_GATHER_INFO |
2014-05-06 | Name : The remote Fedora host is missing a security update. File : fedora_2014-5684.nasl - Type : ACT_GATHER_INFO |
2014-05-01 | Name : The remote web server contains an application that is affected by a cross-sit... File : mediawiki_1_21_9.nasl - Type : ACT_GATHER_INFO |
2014-04-09 | Name : The remote Fedora host is missing a security update. File : fedora_2014-4511.nasl - Type : ACT_GATHER_INFO |
2014-04-09 | Name : The remote Fedora host is missing a security update. File : fedora_2014-4478.nasl - Type : ACT_GATHER_INFO |
2014-04-02 | Name : The remote web server contains an application that is affected by a cross-sit... File : mediawiki_1_19_14.nasl - Type : ACT_GATHER_INFO |
2014-03-31 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2891.nasl - Type : ACT_GATHER_INFO |
2014-03-14 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-057.nasl - Type : ACT_GATHER_INFO |
2014-03-11 | Name : The remote Fedora host is missing a security update. File : fedora_2014-3344.nasl - Type : ACT_GATHER_INFO |
2014-03-11 | Name : The remote Fedora host is missing a security update. File : fedora_2014-3338.nasl - Type : ACT_GATHER_INFO |
2014-03-07 | Name : The remote web server contains an application that is affected by multiple vu... File : mediawiki_1_19_12.nasl - Type : ACT_GATHER_INFO |
2014-02-21 | Name : The remote web server contains an application that is affected by a remote co... File : mediawiki_thumb_rce.nasl - Type : ACT_DESTRUCTIVE_ATTACK |
2014-02-07 | Name : The remote Fedora host is missing a security update. File : fedora_2014-1745.nasl - Type : ACT_GATHER_INFO |
2014-02-07 | Name : The remote Fedora host is missing a security update. File : fedora_2014-1802.nasl - Type : ACT_GATHER_INFO |
2014-02-06 | Name : The remote web server contains an application that is affected by multiple vu... File : mediawiki_1_19_10.nasl - Type : ACT_GATHER_INFO |
2014-01-30 | Name : The remote web server contains an application that is affected by multiple re... File : mediawiki_1_19_11.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2017-10-17 21:25:23 |
|
2015-02-10 13:24:27 |
|
2015-02-07 21:22:55 |
|