Multiple vulnerabilities in MediaWiki



| Updated: 2020-12-22
Risk Medium
Patch available YES
Number of vulnerabilities 10
CVE-ID CVE-2015-2942
CVE-2015-2941
CVE-2015-2938
CVE-2015-2937
CVE-2015-2936
CVE-2015-2935
CVE-2015-2934
CVE-2015-2933
CVE-2015-2932
CVE-2015-2931
CWE-ID CWE-399
CWE-79
CWE-200
Exploitation vector Network
Public exploit N/A
Vulnerable software
 MediaWiki
Web applications / CMS

Vendor MediaWiki.org

Security Bulletin

This security bulletin contains information about 10 vulnerabilities.

1) Resource management error

EUVDB-ID: #VU40828

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2015-2942

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM, allows remote attackers to cause a denial of service (CPU and memory consumption) via a large number of nested entity references in an (1) SVG file or (2) XMP metadata in a PDF file, aka a "billion laughs attack," a different vulnerability than CVE-2015-2937.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MediaWiki: 1.20 - 1.24.1

CPE2.3 External links

https://www.openwall.com/lists/oss-security/2015/04/01/1
https://www.openwall.com/lists/oss-security/2015/04/07/3
https://www.securityfocus.com/bid/73477
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html
https://phabricator.wikimedia.org/T85848
https://security.gentoo.org/glsa/201510-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Cross-site scripting

EUVDB-ID: #VU40829

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2015-2941

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM,. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MediaWiki: 1.20 - 1.24.1

CPE2.3 External links

https://www.openwall.com/lists/oss-security/2015/04/01/1
https://www.openwall.com/lists/oss-security/2015/04/07/3
https://www.securityfocus.com/bid/73477
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html
https://phabricator.wikimedia.org/T85851
https://security.gentoo.org/glsa/201510-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Cross-site scripting

EUVDB-ID: #VU40830

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2015-2938

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

Vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by an input validation error in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MediaWiki: 1.20 - 1.24.1

CPE2.3 External links

https://www.mandriva.com/security/advisories?name=MDVSA-2015:200
https://www.openwall.com/lists/oss-security/2015/04/01/1
https://www.openwall.com/lists/oss-security/2015/04/07/3
https://www.securityfocus.com/bid/73477
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html
https://phabricator.wikimedia.org/T85855
https://security.gentoo.org/glsa/201510-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Resource management error

EUVDB-ID: #VU40831

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2015-2937

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM or Zend PHP, allows remote attackers to cause a denial of service ("quadratic blowup" and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, a different vulnerability than CVE-2015-2942.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MediaWiki: 1.20 - 1.24.1

CPE2.3 External links

https://www.mandriva.com/security/advisories?name=MDVSA-2015:200
https://www.openwall.com/lists/oss-security/2015/04/01/1
https://www.openwall.com/lists/oss-security/2015/04/07/3
https://www.securityfocus.com/bid/73477
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html
https://phabricator.wikimedia.org/T71210
https://security.gentoo.org/glsa/201510-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Resource management error

EUVDB-ID: #VU40832

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2015-2936

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

MediaWiki 1.24.x before 1.24.2, when using PBKDF2 for password hashing, allows remote attackers to cause a denial of service (CPU consumption) via a long password.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MediaWiki: 1.24.0 - 1.24.1

CPE2.3 External links

https://www.mandriva.com/security/advisories?name=MDVSA-2015:200
https://www.openwall.com/lists/oss-security/2015/04/01/1
https://www.openwall.com/lists/oss-security/2015/04/07/3
https://www.securityfocus.com/bid/73477
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html
https://phabricator.wikimedia.org/T64685
https://security.gentoo.org/glsa/201510-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Information disclosure

EUVDB-ID: #VU40833

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2015-2935

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to bypass the SVG filtering and obtain sensitive user information via a mixed case @import in a style element in an SVG file, as demonstrated by "@imporT."

Mitigation

Install update from vendor's website.

Vulnerable software versions

MediaWiki: 1.20 - 1.24.1

CPE2.3 External links

https://www.mandriva.com/security/advisories?name=MDVSA-2015:200
https://www.openwall.com/lists/oss-security/2015/04/01/1
https://www.openwall.com/lists/oss-security/2015/04/07/3
https://www.securityfocus.com/bid/73477
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html
https://phabricator.wikimedia.org/T85349
https://security.gentoo.org/glsa/201510-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Cross-site scripting

EUVDB-ID: #VU40834

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2015-2934

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 does not properly handle when the Zend interpreter xml_parse function does not expand entities, which allows remote attackers to inject arbitrary web script or HTML via a crafted SVG file.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MediaWiki: 1.20 - 1.24.1

CPE2.3 External links

https://www.mandriva.com/security/advisories?name=MDVSA-2015:200
https://www.openwall.com/lists/oss-security/2015/04/01/1
https://www.openwall.com/lists/oss-security/2015/04/07/3
https://www.securityfocus.com/bid/73477
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html
https://phabricator.wikimedia.org/T88310
https://security.gentoo.org/glsa/201510-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Cross-site scripting

EUVDB-ID: #VU40835

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2015-2933

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in the Html class in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MediaWiki: 1.20 - 1.24.1

CPE2.3 External links

https://www.mandriva.com/security/advisories?name=MDVSA-2015:200
https://www.openwall.com/lists/oss-security/2015/04/01/1
https://www.openwall.com/lists/oss-security/2015/04/07/3
https://www.securityfocus.com/bid/73477
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html
https://phabricator.wikimedia.org/T73394
https://security.gentoo.org/glsa/201510-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Cross-site scripting

EUVDB-ID: #VU40836

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2015-2932

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

Incomplete blacklist vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via an animated href XLink element.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MediaWiki: 1.20 - 1.24.1

CPE2.3 External links

https://www.mandriva.com/security/advisories?name=MDVSA-2015:200
https://www.openwall.com/lists/oss-security/2015/04/01/1
https://www.openwall.com/lists/oss-security/2015/04/07/3
https://www.securityfocus.com/bid/73477
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html
https://phabricator.wikimedia.org/T86711
https://security.gentoo.org/glsa/201510-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Cross-site scripting

EUVDB-ID: #VU40837

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2015-2931

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

Incomplete blacklist vulnerability in includes/upload/UploadBase.php in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via an application/xml MIME type for a nested SVG with a data: URI.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MediaWiki: 1.20 - 1.24.1

CPE2.3 External links

https://www.mandriva.com/security/advisories?name=MDVSA-2015:200
https://www.openwall.com/lists/oss-security/2015/04/01/1
https://www.openwall.com/lists/oss-security/2015/04/07/3
https://www.securityfocus.com/bid/73477
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html
https://phabricator.wikimedia.org/T85850
https://security.gentoo.org/glsa/201510-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###