CVE-2014-2853
MediaWiki < 1.21.9 and 1.22.x < 1.22.6 - Cross-Site Scripting via Info Action Sort Key
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in includes/actions/InfoAction.php in MediaWiki before 1.21.9 and 1.22.x before 1.22.6 allows remote attackers to inject arbitrary web script or HTML via the sort key in an info action.
References (9)
Core 9
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/67068
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1030161
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/58262
Patch x_refsource_misc
https://github.com/wikimedia/mediawiki-core/commit/0b695ae09aada343ab59be4a3c9963995a1143b6
Various Sources mailing-list
x_refsource_mlist
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-April/000149.html
Vendor Advisory x_refsource_confirm
https://www.mediawiki.org/wiki/Release_notes/1.22#Changes_since_1.22.5
Issue Tracking x_refsource_confirm
https://bugzilla.wikimedia.org/show_bug.cgi?id=63251
Vendor Advisory x_refsource_confirm
https://www.mediawiki.org/wiki/Release_notes/1.21#Changes_since_1.21.8
Issue Tracking x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1091967
Scores
EPSS
0.0045
EPSS Percentile
64.0%
Details
CWE
CWE-79
Status
published
Products (43)
mediawiki/core
0 - 1.21.9Packagist
mediawiki/mediawiki
1.1.0
mediawiki/mediawiki
1.2.0
mediawiki/mediawiki
1.2.1
mediawiki/mediawiki
1.2.2
mediawiki/mediawiki
1.2.3
mediawiki/mediawiki
1.2.4
mediawiki/mediawiki
1.2.5
mediawiki/mediawiki
1.2.6
mediawiki/mediawiki
1.3
... and 33 more
Published
Apr 29, 2014
Tracked Since
Feb 18, 2026