CVE-2014-2242

MediaWiki <1.19.12, 1.20.x, 1.21.x <1.21.6, 1.22.x <1.22.3 - XSS

Title source: llm
STIX 2.1

Description

includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 does not prevent use of invalid namespaces in SVG files, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an SVG upload, as demonstrated by use of a W3C XHTML namespace in conjunction with an IFRAME element.

References (7)

Core 7
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/65910
Mailing List mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2014/02/28/1
Patch, Vendor Advisory mailing-list x_refsource_mlist
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html
Vendor Advisory x_refsource_confirm
https://bugzilla.wikimedia.org/show_bug.cgi?id=60771
Mailing List mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2014/03/01/2
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1071135

Scores

EPSS 0.0050
EPSS Percentile 66.1%

Details

CWE
CWE-79
Status published
Products (37)
mediawiki/mediawiki 1.1.0
mediawiki/mediawiki 1.10.0 (3 CPE variants)
mediawiki/mediawiki 1.10.1
mediawiki/mediawiki 1.10.2
mediawiki/mediawiki 1.10.3
mediawiki/mediawiki 1.10.4
mediawiki/mediawiki 1.11
mediawiki/mediawiki 1.11.0 (2 CPE variants)
mediawiki/mediawiki 1.11.1
mediawiki/mediawiki 1.11.2
... and 27 more
Published Mar 02, 2014
Tracked Since Feb 18, 2026