The version of MediaWiki installed is 1.23.x earlier than 1.23.7 and is affected by multiple vulnerabilities :
- A flaw exists that allows a reflected cross-site scripting (XSS) attack. This flaw exists because ‘Special:ExpandTemplates’ does not validate input to the ‘wpInput’ parameter before rendering it in raw HTML and returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. (CVE-2014-9276)
- A flaw in the ‘wfMangleFlashPolicy()’ function in the ‘OutputHandler.php’ script is triggered as API output that contains ‘cross-domain-policy’ becomes corrupted when being handled by the aforementioned function. This may allow a remote attacker to more easily bypass intended cross-domain-policy restrictions. (CVE-2014-9277)