SynopsisThe remote web server contains a PHP application that is affected by multiple vulnerabilities.
DescriptionAccording to its version number, the instance of MediaWiki running on the remote host is affected by multiple security vulnerabilities :
- A flaw exists because the application fails to validate input passed via Lua function names before returning it to the user. This allows a remote attacker to conduct cross-site scripting (XSS) attacks.
- Multiple XML external entity (XXE) flaws exist in 'Special:Import', 'SVG' parsing, and 'Extension:RSS' from untrusted sources. This allows a remote attacker to execute arbitrary commands and gain access to arbitrary files.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
SolutionUpgrade to MediaWiki version 1.19.5 / 1.20.4 or later.