CVE-2014-7295

NameCVE-2014-7295
DescriptionThe (1) Special:Preferences and (2) Special:UserLogin pages in MediaWiki before 1.19.20, 1.22.x before 1.22.12 and 1.23.x before 1.23.5 allows remote authenticated users to conduct cross-site scripting (XSS) attacks or have unspecified other impact via crafted CSS, as demonstrated by modifying MediaWiki:Common.css.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3046-1
NVD severitylow (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mediawiki (PTS)wheezy, wheezy (security)1:1.19.20+dfsg-0+deb7u3fixed
buster, stretch, sid1:1.27.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mediawikisource(unstable)1:1.19.20+dfsg-1low
mediawikisourcesqueeze(unfixed)end-of-life
mediawikisourcewheezy1:1.19.20+dfsg-0+deb7u1lowDSA-3046-1

Notes

https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-October/000163.html
https://bugzilla.wikimedia.org/show_bug.cgi?id=70672

Search for package or bug name: Reporting problems