SB2015041301 - Multiple vulnerabilities in MediaWiki
Published: April 13, 2015 Updated: December 22, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 secuirty vulnerabilities.
1) Resource management error (CVE-ID: CVE-2015-2942)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM, allows remote attackers to cause a denial of service (CPU and memory consumption) via a large number of nested entity references in an (1) SVG file or (2) XMP metadata in a PDF file, aka a "billion laughs attack," a different vulnerability than CVE-2015-2937.
2) Cross-site scripting (CVE-ID: CVE-2015-2941)
Vulnerability allows a remote attacker to perform Cross-site scripting attacks.
An input validation error exists in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM,. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Cross-site scripting (CVE-ID: CVE-2015-2938)
Vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability is caused by an input validation error in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) Resource management error (CVE-ID: CVE-2015-2937)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM or Zend PHP, allows remote attackers to cause a denial of service ("quadratic blowup" and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, a different vulnerability than CVE-2015-2942.
5) Resource management error (CVE-ID: CVE-2015-2936)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
MediaWiki 1.24.x before 1.24.2, when using PBKDF2 for password hashing, allows remote attackers to cause a denial of service (CPU consumption) via a long password.
6) Information disclosure (CVE-ID: CVE-2015-2935)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to bypass the SVG filtering and obtain sensitive user information via a mixed case @import in a style element in an SVG file, as demonstrated by "@imporT."
7) Cross-site scripting (CVE-ID: CVE-2015-2934)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 does not properly handle when the Zend interpreter xml_parse function does not expand entities, which allows remote attackers to inject arbitrary web script or HTML via a crafted SVG file.
8) Cross-site scripting (CVE-ID: CVE-2015-2933)
Vulnerability allows a remote attacker to perform Cross-site scripting attacks.
An input validation error exists in the Html class in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
9) Cross-site scripting (CVE-ID: CVE-2015-2932)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
Incomplete blacklist vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via an animated href XLink element.
10) Cross-site scripting (CVE-ID: CVE-2015-2931)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
Incomplete blacklist vulnerability in includes/upload/UploadBase.php in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via an application/xml MIME type for a nested SVG with a data: URI.
Remediation
Install update from vendor's website.
References
- http://www.openwall.com/lists/oss-security/2015/04/01/1
- http://www.openwall.com/lists/oss-security/2015/04/07/3
- http://www.securityfocus.com/bid/73477
- https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html
- https://phabricator.wikimedia.org/T85848
- https://security.gentoo.org/glsa/201510-05
- https://phabricator.wikimedia.org/T85851
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:200
- https://phabricator.wikimedia.org/T85855
- https://phabricator.wikimedia.org/T71210
- https://phabricator.wikimedia.org/T64685
- https://phabricator.wikimedia.org/T85349
- https://phabricator.wikimedia.org/T88310
- https://phabricator.wikimedia.org/T73394
- https://phabricator.wikimedia.org/T86711
- https://phabricator.wikimedia.org/T85850