CVE-2014-1610
MediaWiki <1.22.2/<1.21.5/<1.19.11 - RCE
Title source: llmDescription
MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/media/DjVu.php; (2) the w parameter (aka width field) to thumb.php, which is not properly handled by includes/media/PdfHandler_body.php; and possibly unspecified vectors in (3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php.
Exploits (3)
exploitdb
WORKING POC
VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/31767
exploitdb
WORKING POC
VERIFIED
by @u0x · textwebappsmultiple
https://www.exploit-db.com/exploits/31329
metasploit
WORKING POC
EXCELLENT
by Netanel Rubin, Brandon Perry, Ben Harris, Ben Campbell · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/mediawiki_thumb.rb
References (19)
Scores
EPSS
0.4804
EPSS Percentile
97.7%
Details
CWE
CWE-20
Status
published
Products (17)
mediawiki/mediawiki
1.19.0
mediawiki/mediawiki
1.19.1
mediawiki/mediawiki
1.19.2
mediawiki/mediawiki
1.19.3
mediawiki/mediawiki
1.19.4
mediawiki/mediawiki
1.19.5
mediawiki/mediawiki
1.19.6
mediawiki/mediawiki
1.19.7
mediawiki/mediawiki
1.19.8
mediawiki/mediawiki
1.19.9
... and 7 more
Published
Jan 30, 2014
Tracked Since
Feb 18, 2026