CVE-2015-2932

medium

Description

Incomplete blacklist vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via an animated href XLink element.

References

http://www.mandriva.com/security/advisories?name=MDVSA-2015:200

http://www.openwall.com/lists/oss-security/2015/04/01/1

http://www.openwall.com/lists/oss-security/2015/04/07/3

http://www.securityfocus.com/bid/73477

https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html

https://phabricator.wikimedia.org/T86711

https://security.gentoo.org/glsa/201510-05

Details

Source: MITRE

Published: 2015-04-13

Updated: 2016-12-07

Type: CWE-79

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM