Description
MediaWiki 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote attackers to bypass CORS restrictions in $wgCrossSiteAJAXdomains via a domain that has a partial match to an allowed origin, as demonstrated by "http://en.wikipedia.org.evilsite.example/."
References (5)
Core 5
Core References
Exploit x_refsource_confirm
https://phabricator.wikimedia.org/T77028
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/01/03/13
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2014/12/21/2
Vendor Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2015:006
Vendor Advisory mailing-list
x_refsource_mlist
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html
Scores
EPSS
0.0072
EPSS Percentile
72.7%
Details
CWE
CWE-264
Status
published
Products (46)
mediawiki/mediawiki
1.20
mediawiki/mediawiki
1.20.1
mediawiki/mediawiki
1.20.2
mediawiki/mediawiki
1.20.3
mediawiki/mediawiki
1.20.4
mediawiki/mediawiki
1.20.5
mediawiki/mediawiki
1.20.6
mediawiki/mediawiki
1.20.7
mediawiki/mediawiki
1.20.8
mediawiki/mediawiki
1.21
... and 36 more
Published
Jan 16, 2015
Tracked Since
Feb 18, 2026