CVE-2014-9475

NameCVE-2014-9475
DescriptionCross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.19.23, 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote authenticated users to inject arbitrary web script or HTML via a wikitext message.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3110-1
NVD severitylow (attack range: remote)
Debian Bugs773654

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mediawiki (PTS)wheezy, wheezy (security)1:1.19.20+dfsg-0+deb7u3fixed
buster, sid, stretch1:1.27.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mediawikisource(unstable)1:1.19.20+dfsg-2.2low773654
mediawikisourcesqueeze(unfixed)end-of-life
mediawikisourcewheezy1:1.19.20+dfsg-0+deb7u3lowDSA-3110-1

Notes

https://phabricator.wikimedia.org/T76686 (still not public)

Search for package or bug name: Reporting problems