Updated mediawiki packages fix security vulnerabilities

2014-08-05T20:08:48

Description

MediaWiki before 1.23.2 is vulnerable to JSONP injection in Flash (CVE-2014-5241), XSS in mediawiki.page.image.pagination.js (CVE-2014-5242), and clickjacking between OutputPage and ParserOutput (CVE-2014-5243). This update provides MediaWiki 1.23.2, fixing these and other issues.

Affected Package

OS	OS Version	Package Name	Package Version
Mageia	3	mediawiki	1.23.2-1
Mageia	4	mediawiki	1.23.2-1

{"id": "MGASA-2014-0309", "vendorId": null, "type": "mageia", "bulletinFamily": "unix", "title": "Updated mediawiki packages fix security vulnerabilities\n", "description": "MediaWiki before 1.23.2 is vulnerable to JSONP injection in Flash (CVE-2014-5241), XSS in mediawiki.page.image.pagination.js (CVE-2014-5242), and clickjacking between OutputPage and ParserOutput (CVE-2014-5243). This update provides MediaWiki 1.23.2, fixing these and other issues. \n", "published": "2014-08-05T20:08:48", "modified": "2014-08-05T20:08:48", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.8}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {}, "href": "https://advisories.mageia.org/MGASA-2014-0309.html", "reporter": "Gentoo Foundation", "references": ["https://bugs.mageia.org/show_bug.cgi?id=13833", "http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-July/000157.html", "http://openwall.com/lists/oss-security/2014/08/14/5"], "cvelist": ["CVE-2014-5241", "CVE-2014-5242", "CVE-2014-5243"], "immutableFields": [], "lastseen": "2022-04-18T11:19:34", "viewCount": 0, "enchantments": {"score": {"value": 3.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-5241", "CVE-2014-5242", "CVE-2014-5243"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3011-1:91EB7", "DEBIAN:DSA-3011-1:FA8C2"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2014-5241", "DEBIANCVE:CVE-2014-5242", "DEBIANCVE:CVE-2014-5243"]}, {"type": "fedora", "idList": ["FEDORA:1E4A7222C1", "FEDORA:47A4C221C5"]}, {"type": "gentoo", "idList": ["GLSA-201502-04"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-3011.NASL", "FEDORA_2014-9548.NASL", "FEDORA_2014-9583.NASL", "GENTOO_GLSA-201502-04.NASL", "MEDIAWIKI_1_23_2.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310121343", "OPENVAS:1361412562310703011", "OPENVAS:1361412562310868126", "OPENVAS:1361412562310868133", "OPENVAS:703011"]}, {"type": "osv", "idList": ["OSV:DSA-3011-1"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31024", "SECURITYVULNS:VULN:13930"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2014-5241", "UB:CVE-2014-5242", "UB:CVE-2014-5243"]}]}, "vulnersScore": 3.5}, "_state": {"dependencies": 1660004461, "score": 1659972467}, "_internal": {"score_hash": "b769e4808ade04deb659fa4f5dadec22"}, "affectedPackage": [{"OS": "Mageia", "OSVersion": "3", "arch": "noarch", "packageVersion": "1.23.2-1", "operator": "lt", "packageFilename": "mediawiki-1.23.2-1.mga3", "packageName": "mediawiki"}, {"OS": "Mageia", "OSVersion": "4", "arch": "noarch", "packageVersion": "1.23.2-1", "operator": "lt", "packageFilename": "mediawiki-1.23.2-1.mga4", "packageName": "mediawiki"}]}

{"nessus": [{"lastseen": "2022-04-16T14:08:33", "description": "According to its version number, the instance of MediaWiki running on the remote host is affected by the following vulnerabilities :\n\n - A flaw exists due to comments not being prepended to the JSONP callbacks. This allows a remote attacker, using a specially crafted SWF file, to perform a cross-site request forgery attack. (CVE-2014-5241)\n\n - A cross-site scripting vulnerability exists within the 'mediawiki.page.image.pagination.js' script due to a failure to validate user-supplied input when the function 'ajaxifyPageNavigation' calls 'loadPage'. This allows a remote attacker, using a specially crafted request, to execute arbitrary script code within the trust relationship between the browser and server.\n (CVE-2014-5242)\n\n - A flaw exists with the iFrame protection mechanism, related to 'OutputPage' and 'ParserOutput', which allows a remote attacker to conduct a clickjacking attack.\n (CVE-2014-5243)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": null, "vector": null}, "published": "2014-08-13T00:00:00", "type": "nessus", "title": "MediaWiki < 1.19.18 / 1.22.9 / 1.23.2 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-5241", "CVE-2014-5242", "CVE-2014-5243"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:mediawiki:mediawiki"], "id": "MEDIAWIKI_1_23_2.NASL", "href": "https://www.tenable.com/plugins/nessus/77183", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77183);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2014-5241\", \"CVE-2014-5242\", \"CVE-2014-5243\");\n script_bugtraq_id(69135, 69136, 69137);\n\n script_name(english:\"MediaWiki < 1.19.18 / 1.22.9 / 1.23.2 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains an application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version number, the instance of MediaWiki running on\nthe remote host is affected by the following vulnerabilities :\n\n - A flaw exists due to comments not being prepended to the\n JSONP callbacks. This allows a remote attacker, using a\n specially crafted SWF file, to perform a cross-site\n request forgery attack. (CVE-2014-5241)\n\n - A cross-site scripting vulnerability exists within the\n 'mediawiki.page.image.pagination.js' script due to a\n failure to validate user-supplied input when the\n function 'ajaxifyPageNavigation' calls 'loadPage'. This\n allows a remote attacker, using a specially crafted\n request, to execute arbitrary script code within the\n trust relationship between the browser and server.\n (CVE-2014-5242)\n\n - A flaw exists with the iFrame protection mechanism,\n related to 'OutputPage' and 'ParserOutput', which allows\n a remote attacker to conduct a clickjacking attack.\n (CVE-2014-5243)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-July/000157.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1ee4304d\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mediawiki.org/wiki/Release_notes/1.19#MediaWiki_1.19.18\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mediawiki.org/wiki/Release_notes/1.22#MediaWiki_1.22.9\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mediawiki.org/wiki/Release_notes/1.23#MediaWiki_1.23.2\");\n script_set_attribute(attribute:\"see_also\", value:\"https://phabricator.wikimedia.org/T70187\");\n script_set_attribute(attribute:\"see_also\", value:\"https://phabricator.wikimedia.org/T68608\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MediaWiki version 1.19.18 / 1.22.9 / 1.23.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/06/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/08/13\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mediawiki:mediawiki\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mediawiki_detect.nasl\");\n script_require_keys(\"Settings/ParanoidReport\", \"installed_sw/MediaWiki\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"MediaWiki\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\nversion = install['version'];\ninstall_url = build_url(qs:install['path'], port:port);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nif (\n version =~ \"^1\\.19\\.(\\d|1[0-7])([^0-9]|$)\" ||\n version =~ \"^1\\.22\\.[0-8]([^0-9]|$)\" ||\n version =~ \"^1\\.23\\.[01]([^0-9]|$)\"\n)\n{\n set_kb_item(name:'www/'+port+'/XSS', value:TRUE);\n set_kb_item(name:'www/'+port+'/XSRF', value:TRUE);\n\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + version +\n '\\n Fixed versions : 1.19.18 / 1.22.9 / 1.23.2' +\n '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:48:45", "description": "This is a major update from the 1.21 branch to the 1.23 long term support branch.\n\n - (bug 68187) SECURITY: Prepend jsonp callback with comment. - CVE-2014-5241\n\n - (bug 66608) SECURITY: Fix for XSS issue in bug 66608:\n Generate the URL used for loading a new page in JavaScript,instead of relying on the URL in the link that has been clicked. - CVE-2014-5242\n\n - (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and ParserOutput. - CVE-2014-5243\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2014-08-27T00:00:00", "type": "nessus", "title": "Fedora 20 : mediawiki-1.23.2-1.fc20 (2014-9583)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-5241", "CVE-2014-5242", "CVE-2014-5243"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:mediawiki", "cpe:/o:fedoraproject:fedora:20"], "id": "FEDORA_2014-9583.NASL", "href": "https://www.tenable.com/plugins/nessus/77400", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-9583.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77400);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-5241\", \"CVE-2014-5242\", \"CVE-2014-5243\");\n script_bugtraq_id(69135, 69136, 69137);\n script_xref(name:\"FEDORA\", value:\"2014-9583\");\n\n script_name(english:\"Fedora 20 : mediawiki-1.23.2-1.fc20 (2014-9583)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This is a major update from the 1.21 branch to the 1.23 long term\nsupport branch.\n\n - (bug 68187) SECURITY: Prepend jsonp callback with\n comment. - CVE-2014-5241\n\n - (bug 66608) SECURITY: Fix for XSS issue in bug 66608:\n Generate the URL used for loading a new page in\n JavaScript,instead of relying on the URL in the link\n that has been clicked. - CVE-2014-5242\n\n - (bug 65778) SECURITY: Copy prevent-clickjacking\n between OutputPage and ParserOutput. - CVE-2014-5243\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1125111\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-August/137052.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?23df0420\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mediawiki package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mediawiki\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/08/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/08/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"mediawiki-1.23.2-1.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mediawiki\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:48:45", "description": "This is a major update from the 1.21 branch to the 1.23 long term support branch.\n\n - (bug 68187) SECURITY: Prepend jsonp callback with comment. - CVE-2014-5241\n\n - (bug 66608) SECURITY: Fix for XSS issue in bug 66608:\n Generate the URL used for loading a new page in JavaScript,instead of relying on the URL in the link that has been clicked. - CVE-2014-5242\n\n - (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and ParserOutput. - CVE-2014-5243\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2014-08-27T00:00:00", "type": "nessus", "title": "Fedora 19 : mediawiki-1.23.2-1.fc19 (2014-9548)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-5241", "CVE-2014-5242", "CVE-2014-5243"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:mediawiki", "cpe:/o:fedoraproject:fedora:19"], "id": "FEDORA_2014-9548.NASL", "href": "https://www.tenable.com/plugins/nessus/77398", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-9548.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77398);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-5241\", \"CVE-2014-5242\", \"CVE-2014-5243\");\n script_bugtraq_id(69135, 69136, 69137);\n script_xref(name:\"FEDORA\", value:\"2014-9548\");\n\n script_name(english:\"Fedora 19 : mediawiki-1.23.2-1.fc19 (2014-9548)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This is a major update from the 1.21 branch to the 1.23 long term\nsupport branch.\n\n - (bug 68187) SECURITY: Prepend jsonp callback with\n comment. - CVE-2014-5241\n\n - (bug 66608) SECURITY: Fix for XSS issue in bug 66608:\n Generate the URL used for loading a new page in\n JavaScript,instead of relying on the URL in the link\n that has been clicked. - CVE-2014-5242\n\n - (bug 65778) SECURITY: Copy prevent-clickjacking\n between OutputPage and ParserOutput. - CVE-2014-5243\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1125111\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-August/137048.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8c3be14b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mediawiki package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mediawiki\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/08/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/08/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"mediawiki-1.23.2-1.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mediawiki\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:48:53", "description": "It was discovered that MediaWiki, a website engine for collaborative work, is vulnerable to JSONP injection in Flash (CVE-2014-5241 ) and clickjacking between OutputPage and ParserOutput (CVE-2014-5243 ). The vulnerabilities are addressed by upgrading MediaWiki to the new upstream version 1.19.18, which includes additional changes.", "cvss3": {"score": null, "vector": null}, "published": "2014-08-25T00:00:00", "type": "nessus", "title": "Debian DSA-3011-1 : mediawiki - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-5241", "CVE-2014-5243"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:mediawiki", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DSA-3011.NASL", "href": "https://www.tenable.com/plugins/nessus/77358", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3011. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77358);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-5241\", \"CVE-2014-5243\");\n script_bugtraq_id(69136, 69137);\n script_xref(name:\"DSA\", value:\"3011\");\n\n script_name(english:\"Debian DSA-3011-1 : mediawiki - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that MediaWiki, a website engine for collaborative\nwork, is vulnerable to JSONP injection in Flash (CVE-2014-5241 ) and\nclickjacking between OutputPage and ParserOutput (CVE-2014-5243 ). The\nvulnerabilities are addressed by upgrading MediaWiki to the new\nupstream version 1.19.18, which includes additional changes.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752622\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758510\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2014-5241\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2014-5243\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/mediawiki\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2014/dsa-3011\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the mediawiki packages.\n\nFor the stable distribution (wheezy), these problems have been fixed\nin version 1:1.19.18+dfsg-0+deb7u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:mediawiki\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/08/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/08/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"mediawiki\", reference:\"1:1.19.18+dfsg-0+deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:46:56", "description": "The remote host is affected by the vulnerability described in GLSA-201502-04 (MediaWiki: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in MediaWiki. Please review the CVE identifiers and MediaWiki announcement referenced below for details.\n Impact :\n\n A remote attacker may be able to execute arbitrary code with the privileges of the process, create a Denial of Service condition, obtain sensitive information, bypass security restrictions, and inject arbitrary web script or HTML.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2015-02-09T00:00:00", "type": "nessus", "title": "GLSA-201502-04 : MediaWiki: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-6451", "CVE-2013-6452", "CVE-2013-6453", "CVE-2013-6454", "CVE-2013-6472", "CVE-2014-1610", "CVE-2014-2242", "CVE-2014-2243", "CVE-2014-2244", "CVE-2014-2665", "CVE-2014-2853", "CVE-2014-5241", "CVE-2014-5242", "CVE-2014-5243", "CVE-2014-7199", "CVE-2014-7295", "CVE-2014-9276", "CVE-2014-9277", "CVE-2014-9475", "CVE-2014-9476", "CVE-2014-9477", "CVE-2014-9478", "CVE-2014-9479", "CVE-2014-9480", "CVE-2014-9481", "CVE-2014-9487", "CVE-2014-9507"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:mediawiki", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201502-04.NASL", "href": "https://www.tenable.com/plugins/nessus/81227", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201502-04.\n#\n# The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81227);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2013-6451\", \"CVE-2013-6452\", \"CVE-2013-6453\", \"CVE-2013-6454\", \"CVE-2013-6472\", \"CVE-2014-1610\", \"CVE-2014-2242\", \"CVE-2014-2243\", \"CVE-2014-2244\", \"CVE-2014-2665\", \"CVE-2014-2853\", \"CVE-2014-5241\", \"CVE-2014-5242\", \"CVE-2014-5243\", \"CVE-2014-7199\", \"CVE-2014-7295\", \"CVE-2014-9276\", \"CVE-2014-9277\", \"CVE-2014-9475\", \"CVE-2014-9476\", \"CVE-2014-9477\", \"CVE-2014-9478\", \"CVE-2014-9479\", \"CVE-2014-9480\", \"CVE-2014-9481\", \"CVE-2014-9487\", \"CVE-2014-9507\");\n script_xref(name:\"GLSA\", value:\"201502-04\");\n\n script_name(english:\"GLSA-201502-04 : MediaWiki: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201502-04\n(MediaWiki: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in MediaWiki. Please\n review the CVE identifiers and MediaWiki announcement referenced below\n for details.\n \nImpact :\n\n A remote attacker may be able to execute arbitrary code with the\n privileges of the process, create a Denial of Service condition, obtain\n sensitive information, bypass security restrictions, and inject arbitrary\n web script or HTML.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n # https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-June/000155.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4ef35312\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201502-04\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All MediaWiki 1.23 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-apps/mediawiki-1.23.8'\n All MediaWiki 1.22 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-apps/mediawiki-1.22.15'\n All MediaWiki 1.19 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-apps/mediawiki-1.19.23'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"MediaWiki thumb.php page Parameter Remote Shell Command Injection\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MediaWiki Thumb.php Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:mediawiki\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/01/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-apps/mediawiki\", unaffected:make_list(\"ge 1.23.8\", \"rge 1.22.15\", \"rge 1.19.23\"), vulnerable:make_list(\"lt 1.23.8\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"MediaWiki\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2022-08-10T07:09:19", "description": "\nIt was discovered that MediaWiki, a website engine for collaborative\nwork, is vulnerable to JSONP injection in Flash ([CVE-2014-5241](https://security-tracker.debian.org/tracker/CVE-2014-5241)) and\nclickjacking between OutputPage and ParserOutput ([CVE-2014-5243](https://security-tracker.debian.org/tracker/CVE-2014-5243)). The\nvulnerabilities are addressed by upgrading MediaWiki to the new upstream\nversion 1.19.18, which includes additional changes.\n\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 1:1.19.18+dfsg-0+deb7u1.\n\n\nFor the unstable distribution (sid), these problems will be fixed soon.\n\n\nWe recommend that you upgrade your mediawiki packages.\n\n\n", "cvss3": {}, "published": "2014-08-23T00:00:00", "type": "osv", "title": "mediawiki - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5241", "CVE-2014-5243"], "modified": "2022-08-10T07:09:14", "id": "OSV:DSA-3011-1", "href": "https://osv.dev/vulnerability/DSA-3011-1", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:37:42", "description": "It was discovered that MediaWiki, a website engine for collaborative\nwork, is vulnerable to JSONP injection in Flash (CVE-2014-5241) and\nclickjacking between OutputPage and ParserOutput (CVE-2014-5243\n). The\nvulnerabilities are addressed by upgrading MediaWiki to the new upstream\nversion 1.19.18, which includes additional changes.", "cvss3": {}, "published": "2014-08-23T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3011-1 (mediawiki - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-5243", "CVE-2014-5241"], "modified": "2019-03-19T00:00:00", "id": "OPENVAS:1361412562310703011", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703011", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3011.nasl 14302 2019-03-19 08:28:48Z cfischer $\n# Auto-generated from advisory DSA 3011-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703011\");\n script_version(\"$Revision: 14302 $\");\n script_cve_id(\"CVE-2014-5241\", \"CVE-2014-5243\");\n script_name(\"Debian Security Advisory DSA 3011-1 (mediawiki - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-19 09:28:48 +0100 (Tue, 19 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-08-23 00:00:00 +0200 (Sat, 23 Aug 2014)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2014/dsa-3011.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"mediawiki on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (wheezy), these problems have been fixed in\nversion 1:1.19.18+dfsg-0+deb7u1.\n\nFor the unstable distribution (sid), these problems will be fixed soon.\n\nWe recommend that you upgrade your mediawiki packages.\");\n script_tag(name:\"summary\", value:\"It was discovered that MediaWiki, a website engine for collaborative\nwork, is vulnerable to JSONP injection in Flash (CVE-2014-5241) and\nclickjacking between OutputPage and ParserOutput (CVE-2014-5243\n). The\nvulnerabilities are addressed by upgrading MediaWiki to the new upstream\nversion 1.19.18, which includes additional changes.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"mediawiki\", ver:\"1:1.19.18+dfsg-0+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-26T08:48:42", "description": "It was discovered that MediaWiki, a website engine for collaborative\nwork, is vulnerable to JSONP injection in Flash (CVE-2014-5241) and\nclickjacking between OutputPage and ParserOutput (CVE-2014-5243 \n). The\nvulnerabilities are addressed by upgrading MediaWiki to the new upstream\nversion 1.19.18, which includes additional changes.", "cvss3": {}, "published": "2014-08-23T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3011-1 (mediawiki - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-5243", "CVE-2014-5241"], "modified": "2017-07-11T00:00:00", "id": "OPENVAS:703011", "href": "http://plugins.openvas.org/nasl.php?oid=703011", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3011.nasl 6663 2017-07-11 09:58:05Z teissa $\n# Auto-generated from advisory DSA 3011-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_affected = \"mediawiki on Debian Linux\";\ntag_insight = \"MediaWiki is a wiki engine (a program for creating a collaboratively\nedited website). It is designed to handle heavy websites containing\nlibrary-like document collections, and supports user uploads of\nimages/sounds, multilingual content, TOC autogeneration, ISBN links,\netc.\";\ntag_solution = \"For the stable distribution (wheezy), these problems have been fixed in\nversion 1:1.19.18+dfsg-0+deb7u1.\n\nFor the unstable distribution (sid), these problems will be fixed soon.\n\nWe recommend that you upgrade your mediawiki packages.\";\ntag_summary = \"It was discovered that MediaWiki, a website engine for collaborative\nwork, is vulnerable to JSONP injection in Flash (CVE-2014-5241) and\nclickjacking between OutputPage and ParserOutput (CVE-2014-5243 \n). The\nvulnerabilities are addressed by upgrading MediaWiki to the new upstream\nversion 1.19.18, which includes additional changes.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_id(703011);\n script_version(\"$Revision: 6663 $\");\n script_cve_id(\"CVE-2014-5241\", \"CVE-2014-5243\");\n script_name(\"Debian Security Advisory DSA 3011-1 (mediawiki - security update)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2017-07-11 11:58:05 +0200 (Tue, 11 Jul 2017) $\");\n script_tag(name: \"creation_date\", value:\"2014-08-23 00:00:00 +0200 (Sat, 23 Aug 2014)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2014/dsa-3011.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"mediawiki\", ver:\"1:1.19.18+dfsg-0+deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mediawiki\", ver:\"1:1.19.18+dfsg-0+deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mediawiki\", ver:\"1:1.19.18+dfsg-0+deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mediawiki\", ver:\"1:1.19.18+dfsg-0+deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:37:30", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2014-08-27T00:00:00", "type": "openvas", "title": "Fedora Update for mediawiki FEDORA-2014-9583", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-5243", "CVE-2014-5241", "CVE-2014-5242", "CVE-2014-1610", "CVE-2013-6453", "CVE-2013-6472", "CVE-2013-6452", "CVE-2013-6454", "CVE-2014-2853", "CVE-2013-6451"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310868133", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868133", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mediawiki FEDORA-2014-9583\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868133\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-08-27 05:55:03 +0200 (Wed, 27 Aug 2014)\");\n script_cve_id(\"CVE-2014-5241\", \"CVE-2014-5242\", \"CVE-2014-5243\", \"CVE-2014-2853\",\n \"CVE-2014-1610\", \"CVE-2013-6452\", \"CVE-2013-6451\", \"CVE-2013-6454\",\n \"CVE-2013-6453\", \"CVE-2013-6472\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for mediawiki FEDORA-2014-9583\");\n script_tag(name:\"affected\", value:\"mediawiki on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-9583\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-August/137052.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mediawiki'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"mediawiki\", rpm:\"mediawiki~1.23.2~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:11", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2014-08-27T00:00:00", "type": "openvas", "title": "Fedora Update for mediawiki FEDORA-2014-9548", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-5243", "CVE-2014-5241", "CVE-2014-5242", "CVE-2014-1610", "CVE-2013-6453", "CVE-2013-6472", "CVE-2013-6452", "CVE-2013-6454", "CVE-2014-2853", "CVE-2013-6451"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310868126", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868126", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mediawiki FEDORA-2014-9548\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868126\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-08-27 05:54:27 +0200 (Wed, 27 Aug 2014)\");\n script_cve_id(\"CVE-2014-5241\", \"CVE-2014-5242\", \"CVE-2014-5243\", \"CVE-2014-2853\",\n \"CVE-2014-1610\", \"CVE-2013-6452\", \"CVE-2013-6451\", \"CVE-2013-6454\",\n \"CVE-2013-6453\", \"CVE-2013-6472\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for mediawiki FEDORA-2014-9548\");\n script_tag(name:\"affected\", value:\"mediawiki on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-9548\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-August/137048.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mediawiki'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"mediawiki\", rpm:\"mediawiki~1.23.2~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:36:44", "description": "Gentoo Linux Local Security Checks GLSA 201502-04", "cvss3": {}, "published": "2015-09-29T00:00:00", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201502-04", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-9476", "CVE-2014-9479", "CVE-2014-2244", "CVE-2014-9477", "CVE-2014-5243", "CVE-2014-5241", "CVE-2014-2242", "CVE-2014-9487", "CVE-2014-5242", "CVE-2014-7199", "CVE-2014-1610", "CVE-2013-6453", "CVE-2014-9277", "CVE-2013-6472", "CVE-2014-9481", "CVE-2014-2243", "CVE-2014-9475", "CVE-2014-9507", "CVE-2013-6452", "CVE-2014-9478", "CVE-2014-2665", "CVE-2014-9276", "CVE-2013-6454", "CVE-2014-2853", "CVE-2013-6451", "CVE-2014-7295", "CVE-2014-9480"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310121343", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121343", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201502-04.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121343\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:28:28 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201502-04\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities have been discovered in MediaWiki. Please review the CVE identifiers and MediaWiki announcement referenced below for details.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201502-04\");\n script_cve_id(\"CVE-2013-6451\", \"CVE-2013-6452\", \"CVE-2013-6453\", \"CVE-2013-6454\", \"CVE-2013-6472\", \"CVE-2014-1610\", \"CVE-2014-2242\", \"CVE-2014-2243\", \"CVE-2014-2244\", \"CVE-2014-2665\", \"CVE-2014-2853\", \"CVE-2014-5241\", \"CVE-2014-5242\", \"CVE-2014-5243\", \"CVE-2014-7199\", \"CVE-2014-7295\", \"CVE-2014-9276\", \"CVE-2014-9277\", \"CVE-2014-9475\", \"CVE-2014-9476\", \"CVE-2014-9477\", \"CVE-2014-9478\", \"CVE-2014-9479\", \"CVE-2014-9480\", \"CVE-2014-9481\", \"CVE-2014-9487\", \"CVE-2014-9507\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201502-04\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"www-apps/mediawiki\", unaffected: make_list(\"ge 1.23.8\"), vulnerable: make_list() )) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"www-apps/mediawiki\", unaffected: make_list(\"ge 1.22.15\"), vulnerable: make_list() )) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"www-apps/mediawiki\", unaffected: make_list(\"ge 1.19.23\"), vulnerable: make_list() )) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"www-apps/mediawiki\", unaffected: make_list(), vulnerable: make_list(\"lt 1.23.8\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2021-11-29T23:26:21", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3011-1 security@debian.org\nhttp://www.debian.org/security/ Salvatore Bonaccorso\nAugust 23, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : mediawiki\nCVE ID : CVE-2014-5241 CVE-2014-5243\nDebian Bug : 752622 758510\n\nIt was discovered that MediaWiki, a website engine for collaborative\nwork, is vulnerable to JSONP injection in Flash (CVE-2014-5241) and\nclickjacking between OutputPage and ParserOutput (CVE-2014-5243). The\nvulnerabilities are addressed by upgrading MediaWiki to the new upstream\nversion 1.19.18, which includes additional changes.\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 1:1.19.18+dfsg-0+deb7u1.\n\nFor the unstable distribution (sid), these problems will be fixed soon.\n\nWe recommend that you upgrade your mediawiki packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {}, "published": "2014-08-23T15:27:05", "type": "debian", "title": "[SECURITY] [DSA 3011-1] mediawiki security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5241", "CVE-2014-5243"], "modified": "2014-08-23T15:27:05", "id": "DEBIAN:DSA-3011-1:91EB7", "href": "https://lists.debian.org/debian-security-announce/2014/msg00196.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-21T23:04:32", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3011-1 security@debian.org\nhttp://www.debian.org/security/ Salvatore Bonaccorso\nAugust 23, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : mediawiki\nCVE ID : CVE-2014-5241 CVE-2014-5243\nDebian Bug : 752622 758510\n\nIt was discovered that MediaWiki, a website engine for collaborative\nwork, is vulnerable to JSONP injection in Flash (CVE-2014-5241) and\nclickjacking between OutputPage and ParserOutput (CVE-2014-5243). The\nvulnerabilities are addressed by upgrading MediaWiki to the new upstream\nversion 1.19.18, which includes additional changes.\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 1:1.19.18+dfsg-0+deb7u1.\n\nFor the unstable distribution (sid), these problems will be fixed soon.\n\nWe recommend that you upgrade your mediawiki packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {}, "published": "2014-08-23T15:27:05", "type": "debian", "title": "[SECURITY] [DSA 3011-1] mediawiki security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5241", "CVE-2014-5243"], "modified": "2014-08-23T15:27:05", "id": "DEBIAN:DSA-3011-1:FA8C2", "href": "https://lists.debian.org/debian-security-announce/2014/msg00196.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:53", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA512\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-3011-1 security@debian.org\r\nhttp://www.debian.org/security/ Salvatore Bonaccorso\r\nAugust 23, 2014 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : mediawiki\r\nCVE ID : CVE-2014-5241 CVE-2014-5243\r\nDebian Bug : 752622 758510\r\n\r\nIt was discovered that MediaWiki, a website engine for collaborative\r\nwork, is vulnerable to JSONP injection in Flash (CVE-2014-5241) and\r\nclickjacking between OutputPage and ParserOutput (CVE-2014-5243). The\r\nvulnerabilities are addressed by upgrading MediaWiki to the new upstream\r\nversion 1.19.18, which includes additional changes.\r\n\r\nFor the stable distribution (wheezy), these problems have been fixed in\r\nversion 1:1.19.18+dfsg-0+deb7u1.\r\n\r\nFor the unstable distribution (sid), these problems will be fixed soon.\r\n\r\nWe recommend that you upgrade your mediawiki packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: https://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1\r\n\r\niQIcBAEBCgAGBQJT+LEyAAoJEAVMuPMTQ89ERCAP/1LNJsl8+W5uJLY+bg2qWojz\r\nq/RhnhN4IUe3Koie9MS9Awc8j6C9MyGCqGiBxKPZwtPyxwLjwcj15zki5hV6Dbq+\r\nktbwqVEkmtb0kvGzm9XemkJQgtB5Uv4GWNju4uBAMLIzurxXSKyddgvHhhbRN7Y6\r\nWtZsBQGVvvofhuQs6jRtT30wQP1PIqmep/QFbMtZ7Fn7VUnof4a7CAJ7dzm3Lufj\r\nKbN1tgtFH2MHqPnazl/zzWAFIg2Bzqc1qLvuSwczRM56lUJ+34TT4EKXI7XmGUDN\r\njLUN2PIz3GabSVWCF6Q/yegh+26FI4S6Uf/ZETLOm+crYhfn86jl0XeTayCfbunq\r\n4ztzm3/CDZtVAaJGJANae+Fp63YavfyE7CVPE+wx94YCBAfEvDDuT8ZReYq/OrdE\r\niLbsFn5OEwxhuCL1RfOc9pkbTkskh2WigW9G7zDQ8e1PhgkO/KaY/wDsYREOmJfU\r\nuxBtkNpT22jbZegQJmsNzcnWKTh9u0tZMX+Z1f0vwmEFOpwVkNCGt+1A7znhAhkX\r\nNyEbEM3Mcvx/oF/6oa8aPfo2+I40YdFTnex/UMq9Bz4I1dOMoe2HXBz4smhulbbV\r\n/cG2ftlEFZE3g0cT2OdQZAE2Izs70xoL+BiL+kNhqAoFGO9gVY3z4lLLFDr3u82j\r\njFvHc+YgOGrQBMJSy90g\r\n=neUj\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-08-26T00:00:00", "title": "[SECURITY] [DSA 3011-1] mediawiki security update", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-5243", "CVE-2014-5241"], "modified": "2014-08-26T00:00:00", "id": "SECURITYVULNS:DOC:31024", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31024", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-06-08T18:50:18", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2014-08-26T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-5025", "CVE-2014-5122", "CVE-2014-4722", "CVE-2014-2708", "CVE-2014-2327", "CVE-2014-0479", "CVE-2014-5243", "CVE-2014-0482", "CVE-2014-5241", "CVE-2014-5098", "CVE-2014-5339", "CVE-2014-0481", "CVE-2014-5097", "CVE-2014-3978", "CVE-2014-5262", "CVE-2014-5035", "CVE-2014-2709", "CVE-2014-5340", "CVE-2014-5026", "CVE-2014-5027", "CVE-2014-5261", "CVE-2014-5335", "CVE-2014-4002", "CVE-2014-2326", "CVE-2014-0480", "CVE-2014-5338", "CVE-2014-0483", "CVE-2014-3830", "CVE-2014-2328"], "modified": "2014-08-26T00:00:00", "id": "SECURITYVULNS:VULN:13930", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13930", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntucve": [{"lastseen": "2022-08-04T14:19:57", "description": "Cross-site scripting (XSS) vulnerability in\nmediawiki.page.image.pagination.js in MediaWiki 1.22.x before 1.22.9 and\n1.23.x before 1.23.2 allows remote attackers to inject arbitrary web script\nor HTML via vectors involving the multipageimagenavbox class in conjunction\nwith an action=raw value.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | Introduced in 1.22, thus none of our packages are affected\n", "cvss3": {}, "published": "2014-08-22T00:00:00", "type": "ubuntucve", "title": "CVE-2014-5242", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5242"], "modified": "2014-08-22T00:00:00", "id": "UB:CVE-2014-5242", "href": "https://ubuntu.com/security/CVE-2014-5242", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-08-04T14:32:21", "description": "The JSONP endpoint in includes/api/ApiFormatJson.php in MediaWiki before\n1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2\naccepts certain long callback values and does not restrict the initial\nbytes of a JSONP response, which allows remote attackers to conduct\ncross-site request forgery (CSRF) attacks, and obtain sensitive\ninformation, via a crafted OBJECT element with SWF content consistent with\na restricted character set.", "cvss3": {}, "published": "2014-08-22T00:00:00", "type": "ubuntucve", "title": "CVE-2014-5241", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5241"], "modified": "2014-08-22T00:00:00", "id": "UB:CVE-2014-5241", "href": "https://ubuntu.com/security/CVE-2014-5241", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-04T14:19:56", "description": "MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x\nbefore 1.23.2 does not enforce an IFRAME protection mechanism for\ntranscluded pages, which makes it easier for remote attackers to conduct\nclickjacking attacks via a crafted web site.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | bug not visible on 2014-08-14\n", "cvss3": {}, "published": "2014-08-22T00:00:00", "type": "ubuntucve", "title": "CVE-2014-5243", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5243"], "modified": "2014-08-22T00:00:00", "id": "UB:CVE-2014-5243", "href": "https://ubuntu.com/security/CVE-2014-5243", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "cve": [{"lastseen": "2022-03-23T13:38:57", "description": "Cross-site scripting (XSS) vulnerability in mediawiki.page.image.pagination.js in MediaWiki 1.22.x before 1.22.9 and 1.23.x before 1.23.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving the multipageimagenavbox class in conjunction with an action=raw value.", "cvss3": {}, "published": "2014-08-22T17:55:00", "type": "cve", "title": "CVE-2014-5242", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5242"], "modified": "2015-09-08T17:55:00", "cpe": ["cpe:/a:mediawiki:mediawiki:1.22.6", "cpe:/a:mediawiki:mediawiki:1.22.0", "cpe:/a:mediawiki:mediawiki:1.22.5", "cpe:/a:mediawiki:mediawiki:1.22.8", "cpe:/a:mediawiki:mediawiki:1.23.1", "cpe:/a:mediawiki:mediawiki:1.22.4", "cpe:/a:mediawiki:mediawiki:1.22.3", "cpe:/a:mediawiki:mediawiki:1.23.0", "cpe:/a:mediawiki:mediawiki:1.22.1", "cpe:/a:mediawiki:mediawiki:1.22.7", "cpe:/a:mediawiki:mediawiki:1.22.2"], "id": "CVE-2014-5242", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5242", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:mediawiki:mediawiki:1.22.7:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.23.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.8:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.23.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.6:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.4:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:38:54", "description": "The JSONP endpoint in includes/api/ApiFormatJson.php in MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with a restricted character set.", "cvss3": {}, "published": "2014-08-22T17:55:00", "type": "cve", "title": "CVE-2014-5241", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5241"], "modified": "2017-01-07T03:00:00", "cpe": ["cpe:/a:mediawiki:mediawiki:1.21.6", "cpe:/a:mediawiki:mediawiki:1.21.7", "cpe:/a:mediawiki:mediawiki:1.22.6", "cpe:/a:mediawiki:mediawiki:1.19.15", "cpe:/a:mediawiki:mediawiki:1.19.10", "cpe:/a:mediawiki:mediawiki:1.21.3", "cpe:/a:mediawiki:mediawiki:1.19.1", "cpe:/a:mediawiki:mediawiki:1.19.14", "cpe:/a:mediawiki:mediawiki:1.19.2", "cpe:/a:mediawiki:mediawiki:1.22.1", "cpe:/a:mediawiki:mediawiki:1.19.6", "cpe:/a:mediawiki:mediawiki:1.22.2", "cpe:/a:mediawiki:mediawiki:1.20.2", "cpe:/a:mediawiki:mediawiki:1.21.10", "cpe:/a:mediawiki:mediawiki:1.21.9", "cpe:/a:mediawiki:mediawiki:1.19.4", "cpe:/a:mediawiki:mediawiki:1.19.0", "cpe:/a:mediawiki:mediawiki:1.22.0", "cpe:/a:mediawiki:mediawiki:1.23.1", "cpe:/a:mediawiki:mediawiki:1.19.5", "cpe:/a:mediawiki:mediawiki:1.22.3", "cpe:/a:mediawiki:mediawiki:1.20.5", "cpe:/a:mediawiki:mediawiki:1.19.13", "cpe:/a:mediawiki:mediawiki:1.19", "cpe:/a:mediawiki:mediawiki:1.21.8", "cpe:/a:mediawiki:mediawiki:1.19.17", "cpe:/a:mediawiki:mediawiki:1.23.0", "cpe:/a:mediawiki:mediawiki:1.22.8", "cpe:/a:mediawiki:mediawiki:1.19.11", "cpe:/a:mediawiki:mediawiki:1.21.2", "cpe:/a:mediawiki:mediawiki:1.20.6", "cpe:/a:mediawiki:mediawiki:1.19.3", "cpe:/a:mediawiki:mediawiki:1.21.1", "cpe:/a:mediawiki:mediawiki:1.20.3", "cpe:/a:mediawiki:mediawiki:1.20.1", "cpe:/a:mediawiki:mediawiki:1.21.5", "cpe:/a:mediawiki:mediawiki:1.20.7", "cpe:/a:mediawiki:mediawiki:1.19.12", "cpe:/a:mediawiki:mediawiki:1.19.9", "cpe:/a:mediawiki:mediawiki:1.22.5", "cpe:/a:mediawiki:mediawiki:1.20.4", "cpe:/a:mediawiki:mediawiki:1.22.4", "cpe:/a:mediawiki:mediawiki:1.20.8", "cpe:/a:mediawiki:mediawiki:1.19.8", "cpe:/a:mediawiki:mediawiki:1.22.7", "cpe:/a:mediawiki:mediawiki:1.19.7", "cpe:/a:mediawiki:mediawiki:1.19.16", "cpe:/a:mediawiki:mediawiki:1.21.4"], "id": "CVE-2014-5241", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5241", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:mediawiki:mediawiki:1.19.12:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.8:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19:beta_2:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.15:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19:beta_1:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.13:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.10:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.14:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.16:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.7:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.6:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.11:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.10:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.9:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20.6:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.23.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.6:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.17:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.8:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.8:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.23.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.9:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20.8:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.7:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.7:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20.7:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.6:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:39:00", "description": "MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 does not enforce an IFRAME protection mechanism for transcluded pages, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site.", "cvss3": {}, "published": "2014-08-22T17:55:00", "type": "cve", "title": "CVE-2014-5243", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5243"], "modified": "2017-01-07T03:00:00", "cpe": ["cpe:/a:mediawiki:mediawiki:1.21.6", "cpe:/a:mediawiki:mediawiki:1.21.7", "cpe:/a:mediawiki:mediawiki:1.22.6", "cpe:/a:mediawiki:mediawiki:1.19.15", "cpe:/a:mediawiki:mediawiki:1.19.10", "cpe:/a:mediawiki:mediawiki:1.21.3", "cpe:/a:mediawiki:mediawiki:1.19.1", "cpe:/a:mediawiki:mediawiki:1.19.14", "cpe:/a:mediawiki:mediawiki:1.19.2", "cpe:/a:mediawiki:mediawiki:1.22.1", "cpe:/a:mediawiki:mediawiki:1.19.6", "cpe:/a:mediawiki:mediawiki:1.22.2", "cpe:/a:mediawiki:mediawiki:1.20.2", "cpe:/a:mediawiki:mediawiki:1.21.10", "cpe:/a:mediawiki:mediawiki:1.21.9", "cpe:/a:mediawiki:mediawiki:1.19.4", "cpe:/a:mediawiki:mediawiki:1.19.0", "cpe:/a:mediawiki:mediawiki:1.22.0", "cpe:/a:mediawiki:mediawiki:1.23.1", "cpe:/a:mediawiki:mediawiki:1.22.3", "cpe:/a:mediawiki:mediawiki:1.19.5", "cpe:/a:mediawiki:mediawiki:1.20.5", "cpe:/a:mediawiki:mediawiki:1.19.13", "cpe:/a:mediawiki:mediawiki:1.19", "cpe:/a:mediawiki:mediawiki:1.19.17", "cpe:/a:mediawiki:mediawiki:1.21.8", "cpe:/a:mediawiki:mediawiki:1.23.0", "cpe:/a:mediawiki:mediawiki:1.22.8", "cpe:/a:mediawiki:mediawiki:1.19.11", "cpe:/a:mediawiki:mediawiki:1.21.2", "cpe:/a:mediawiki:mediawiki:1.20.6", "cpe:/a:mediawiki:mediawiki:1.19.3", "cpe:/a:mediawiki:mediawiki:1.21.1", "cpe:/a:mediawiki:mediawiki:1.20.3", "cpe:/a:mediawiki:mediawiki:1.20.1", "cpe:/a:mediawiki:mediawiki:1.21.5", "cpe:/a:mediawiki:mediawiki:1.20.7", "cpe:/a:mediawiki:mediawiki:1.19.12", "cpe:/a:mediawiki:mediawiki:1.19.9", "cpe:/a:mediawiki:mediawiki:1.22.5", "cpe:/a:mediawiki:mediawiki:1.20.4", "cpe:/a:mediawiki:mediawiki:1.22.4", "cpe:/a:mediawiki:mediawiki:1.20.8", "cpe:/a:mediawiki:mediawiki:1.19.8", "cpe:/a:mediawiki:mediawiki:1.22.7", "cpe:/a:mediawiki:mediawiki:1.19.7", "cpe:/a:mediawiki:mediawiki:1.19.16", "cpe:/a:mediawiki:mediawiki:1.21.4"], "id": "CVE-2014-5243", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5243", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:mediawiki:mediawiki:1.19.12:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.8:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19:beta_2:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.15:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19:beta_1:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.13:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.10:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.14:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.16:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.7:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.6:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.11:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.10:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.9:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20.6:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.23.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.6:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.17:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.8:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.8:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.23.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.9:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.4:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.0:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20.8:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.7:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.7:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.3:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.19.2:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.21.5:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.20.7:*:*:*:*:*:*:*", "cpe:2.3:a:mediawiki:mediawiki:1.22.6:*:*:*:*:*:*:*"]}], "debiancve": [{"lastseen": "2022-07-06T06:01:58", "description": "Cross-site scripting (XSS) vulnerability in mediawiki.page.image.pagination.js in MediaWiki 1.22.x before 1.22.9 and 1.23.x before 1.23.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving the multipageimagenavbox class in conjunction with an action=raw value.", "cvss3": {}, "published": "2014-08-22T17:55:00", "type": "debiancve", "title": "CVE-2014-5242", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5242"], "modified": "2014-08-22T17:55:00", "id": "DEBIANCVE:CVE-2014-5242", "href": "https://security-tracker.debian.org/tracker/CVE-2014-5242", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-07-06T06:01:58", "description": "The JSONP endpoint in includes/api/ApiFormatJson.php in MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with a restricted character set.", "cvss3": {}, "published": "2014-08-22T17:55:00", "type": "debiancve", "title": "CVE-2014-5241", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5241"], "modified": "2014-08-22T17:55:00", "id": "DEBIANCVE:CVE-2014-5241", "href": "https://security-tracker.debian.org/tracker/CVE-2014-5241", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-06T06:01:58", "description": "MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 does not enforce an IFRAME protection mechanism for transcluded pages, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site.", "cvss3": {}, "published": "2014-08-22T17:55:00", "type": "debiancve", "title": "CVE-2014-5243", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5243"], "modified": "2014-08-22T17:55:00", "id": "DEBIANCVE:CVE-2014-5243", "href": "https://security-tracker.debian.org/tracker/CVE-2014-5243", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "fedora": [{"lastseen": "2020-12-21T08:17:52", "description": "MediaWiki is the software used for Wikipedia and the other Wikimedia Foundation websites. Compared to other wikis, it has an excellent range of features and support for high-traffic websites using multiple servers This package supports wiki farms. Read the instructions for creating wiki instances under /usr/share/doc/mediawiki-1.23.2/README.RPM. Remember to remove the config dir after completing the configuration. ", "cvss3": {}, "published": "2014-08-27T01:33:58", "type": "fedora", "title": "[SECURITY] Fedora 19 Update: mediawiki-1.23.2-1.fc19", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-6451", "CVE-2013-6452", "CVE-2013-6453", "CVE-2013-6454", "CVE-2013-6472", "CVE-2014-1610", "CVE-2014-2853", "CVE-2014-5241", "CVE-2014-5242", "CVE-2014-5243"], "modified": "2014-08-27T01:33:58", "id": "FEDORA:1E4A7222C1", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/D6RASRJY7ARJLNOJXYN3JU445PSIZO3J/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "description": "MediaWiki is the software used for Wikipedia and the other Wikimedia Foundation websites. Compared to other wikis, it has an excellent range of features and support for high-traffic websites using multiple servers This package supports wiki farms. Read the instructions for creating wiki instances under /usr/share/doc/mediawiki/README.RPM. Remember to remove the config dir after completing the configuration. ", "cvss3": {}, "published": "2014-08-27T01:34:20", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: mediawiki-1.23.2-1.fc20", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-6451", "CVE-2013-6452", "CVE-2013-6453", "CVE-2013-6454", "CVE-2013-6472", "CVE-2014-1610", "CVE-2014-2853", "CVE-2014-5241", "CVE-2014-5242", "CVE-2014-5243"], "modified": "2014-08-27T01:34:20", "id": "FEDORA:47A4C221C5", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3V7RS574HYEM2WJZ2T53Z4YLCOT35T7J/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2022-01-17T19:07:10", "description": "### Background\n\nMediaWiki is a collaborative editing software used by large projects such as Wikipedia. \n\n### Description\n\nMultiple vulnerabilities have been discovered in MediaWiki. Please review the CVE identifiers and MediaWiki announcement referenced below for details. \n\n### Impact\n\nA remote attacker may be able to execute arbitrary code with the privileges of the process, create a Denial of Service condition, obtain sensitive information, bypass security restrictions, and inject arbitrary web script or HTML. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll MediaWiki 1.23 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-apps/mediawiki-1.23.8\"\n \n\nAll MediaWiki 1.22 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-apps/mediawiki-1.22.15\"\n \n\nAll MediaWiki 1.19 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-apps/mediawiki-1.19.23\"", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2015-02-07T00:00:00", "type": "gentoo", "title": "MediaWiki: Multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-6451", "CVE-2013-6452", "CVE-2013-6453", "CVE-2013-6454", "CVE-2013-6472", "CVE-2014-1610", "CVE-2014-2242", "CVE-2014-2243", "CVE-2014-2244", "CVE-2014-2665", "CVE-2014-2853", "CVE-2014-5241", "CVE-2014-5242", "CVE-2014-5243", "CVE-2014-7199", "CVE-2014-7295", "CVE-2014-9276", "CVE-2014-9277", "CVE-2014-9475", "CVE-2014-9476", "CVE-2014-9477", "CVE-2014-9478", "CVE-2014-9479", "CVE-2014-9480", "CVE-2014-9481", "CVE-2014-9487", "CVE-2014-9507"], "modified": "2015-02-07T00:00:00", "id": "GLSA-201502-04", "href": "https://security.gentoo.org/glsa/201502-04", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}

Updated mediawiki packages fix security vulnerabilities

Description

Affected Package

Related