Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

MediaWiki < 1.23.7 Multiple Vulnerabilities

High

Synopsis

The remote web server is running a PHP application that is out of date

Description

The version of MediaWiki installed is 1.23.x earlier than 1.23.7 and is affected by multiple vulnerabilities :

- A flaw exists that allows a reflected cross-site scripting (XSS) attack. This flaw exists because 'Special:ExpandTemplates' does not validate input to the 'wpInput' parameter before rendering it in raw HTML and returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (CVE-2014-9276) - A flaw in the 'wfMangleFlashPolicy()' function in the 'OutputHandler.php' script is triggered as API output that contains 'cross-domain-policy' becomes corrupted when being handled by the aforementioned function. This may allow a remote attacker to more easily bypass intended cross-domain-policy restrictions. (CVE-2014-9277)

Solution

Upgrade to MediaWiki version 1.23.7