Main Vulnerability Database Vulnerabilities #VU40833

Information disclosure in MediaWiki - CVE-2015-2935

Published: April 13, 2015 / Updated: August 9, 2020

Vulnerability identifier: #VU40833

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2015-2935

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: MediaWiki.org

Affected software:
MediaWiki

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to bypass the SVG filtering and obtain sensitive user information via a mixed case @import in a style element in an SVG file, as demonstrated by "@imporT."

How to mitigate CVE-2015-2935

Install update from vendor's website.

Sources

http://www.mandriva.com/security/advisories?name=MDVSA-2015:200
http://www.openwall.com/lists/oss-security/2015/04/01/1
http://www.openwall.com/lists/oss-security/2015/04/07/3
http://www.securityfocus.com/bid/73477
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html
https://phabricator.wikimedia.org/T85349
https://security.gentoo.org/glsa/201510-05

Information disclosure in MediaWiki - CVE-2015-2935

Detailed vulnerability description

How to mitigate CVE-2015-2935

Sources

Please verify you're human