6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.083 Low
EPSS
Percentile
94.3%
MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before
1.19.11, when DjVu or PDF file upload support is enabled, allows remote
attackers to execute arbitrary commands via shell metacharacters in (1) the
page parameter to includes/media/DjVu.php; (2) the w parameter (aka width
field) to thumb.php, which is not properly handled by
includes/media/PdfHandler_body.php; and possibly unspecified vectors in (3)
includes/media/Bitmap.php and (4) includes/media/ImageHandler.php.
lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000140.html
osvdb.org/102630
secunia.com/advisories/56695
bugzilla.wikimedia.org/attachment.cgi?id=14361&action=diff
bugzilla.wikimedia.org/attachment.cgi?id=14384&action=diff
bugzilla.wikimedia.org/show_bug.cgi?id=60339
gerrit.wikimedia.org/r/#/c/110069/
gerrit.wikimedia.org/r/#/c/110069/2/includes/media/Bitmap.php
gerrit.wikimedia.org/r/#/c/110215/
launchpad.net/bugs/cve/CVE-2014-1610
nvd.nist.gov/vuln/detail/CVE-2014-1610
security-tracker.debian.org/tracker/CVE-2014-1610
www.cve.org/CVERecord?id=CVE-2014-1610