Main Vulnerability Database Vulnerabilities #VU40971

Command Injection in MediaWiki - CVE-2014-9277

Published: January 4, 2015 / Updated: August 9, 2020

Vulnerability identifier: #VU40971

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2014-9277

CWE-ID: CWE-77

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: MediaWiki.org

Affected software:
MediaWiki

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The wfMangleFlashPolicy function in OutputHandler.php in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7 allows remote attackers to conduct PHP object injection attacks via a crafted string containing <cross-domain-policy> in a PHP format request, which causes the string length to change when converting the request to <NOT-cross-domain-policy>.

How to mitigate CVE-2014-9277

Install update from vendor's website.

Command Injection in MediaWiki - CVE-2014-9277

Detailed vulnerability description

How to mitigate CVE-2014-9277

Sources

Please verify you're human