Lucene search

[email protected]NVD:CVE-2014-5241

HistoryAug 22, 2014 - 5:55 p.m.

CVE-2014-5241

2014-08-2217:55:02

CWE-352

[email protected]

web.nvd.nist.gov

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

6.3 Medium

AI Score

Confidence

Low

0.006 Low

EPSS

Percentile

78.5%

JSON

The JSONP endpoint in includes/api/ApiFormatJson.php in MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with a restricted character set.

Affected configurations

NVD

Node

mediawikimediawikiRange≤1.19.17

mediawikimediawikiMatch1.19

mediawikimediawikiMatch1.19beta_1

mediawikimediawikiMatch1.19beta_2

mediawikimediawikiMatch1.19.0

mediawikimediawikiMatch1.19.1

mediawikimediawikiMatch1.19.2

mediawikimediawikiMatch1.19.3

mediawikimediawikiMatch1.19.4

mediawikimediawikiMatch1.19.5

mediawikimediawikiMatch1.19.6

mediawikimediawikiMatch1.19.7

mediawikimediawikiMatch1.19.8

mediawikimediawikiMatch1.19.9

mediawikimediawikiMatch1.19.10

mediawikimediawikiMatch1.19.11

mediawikimediawikiMatch1.19.12

mediawikimediawikiMatch1.19.13

mediawikimediawikiMatch1.19.14

mediawikimediawikiMatch1.19.15

mediawikimediawikiMatch1.19.16

mediawikimediawikiMatch1.20.1

mediawikimediawikiMatch1.20.2

mediawikimediawikiMatch1.20.3

mediawikimediawikiMatch1.20.4

mediawikimediawikiMatch1.20.5

mediawikimediawikiMatch1.20.6

mediawikimediawikiMatch1.20.7

mediawikimediawikiMatch1.20.8

mediawikimediawikiMatch1.21.1

mediawikimediawikiMatch1.21.2

mediawikimediawikiMatch1.21.3

mediawikimediawikiMatch1.21.4

mediawikimediawikiMatch1.21.5

mediawikimediawikiMatch1.21.6

mediawikimediawikiMatch1.21.7

mediawikimediawikiMatch1.21.8

mediawikimediawikiMatch1.21.9

mediawikimediawikiMatch1.21.10

mediawikimediawikiMatch1.22.0

mediawikimediawikiMatch1.22.1

mediawikimediawikiMatch1.22.2

mediawikimediawikiMatch1.22.3

mediawikimediawikiMatch1.22.4

mediawikimediawikiMatch1.22.5

mediawikimediawikiMatch1.22.6

mediawikimediawikiMatch1.22.7

mediawikimediawikiMatch1.22.8

mediawikimediawikiMatch1.23.0

mediawikimediawikiMatch1.23.1

References

advisories.mageia.org/MGASA-2014-0309.html

openwall.com/lists/oss-security/2014/08/14/5

secunia.com/advisories/59738

www.debian.org/security/2014/dsa-3011

www.mandriva.com/security/advisories?name=MDVSA-2014:153

bugzilla.wikimedia.org/show_bug.cgi?id=68187

lists.wikimedia.org/pipermail/mediawiki-announce/2014-July/000157.html

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

6.3 Medium

AI Score

Confidence

Low

0.006 Low

EPSS

Percentile

78.5%

JSON

Related for NVD:CVE-2014-5241

ubuntucve1 prion1 cvelist1 cve1 debiancve1 nessus5 openvas6 debian2 osv1 securityvulns2 mageia1 fedora2 gentoo1