Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

MediaWiki < 1.19.23 / 1.22.15 / 1.23.8 / 1.24.1 Multiple Vulnerabilities



The remote web server is running a PHP application that is affected by a security bypass and cross-site scripting vulnerability.


In versions older than 1.24.1, 1.22.15 or 1.19.23 or 1.23.8, MediaWiki contains a flaw in API handling which allows an attacker to bypass authentication. This issue occurs when a website includes an allowed domain as part of its name in '$wgCrossSiteAJAXdomains' in API calls. An attacker can exploit this issue to bypass CORS restrictions. Older versions of MediaWiki are also prone to a cross-site scripting vulnerability because 'thumb.php' script fails to properly sanitize user-supplied input when handling wikitext messages before returning it to the users.


Upgrade to MediaWiki version 1.24.1. Alternatively, versions 1.19.23, 1.22.15, and 1.23.8 or later are patched for these vulnerabilities.