Vulnerability Details : CVE-2014-7199
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.19, 1.22.x before 1.22.11, and 1.23.x before 1.23.4 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG file.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2014-7199
- cpe:2.3:a:mediawiki:mediawiki:1.19:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19:beta_2:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19:beta_1:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.0:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.2:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.5:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.3:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.7:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.6:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.4:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.8:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.22.0:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.10:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.22.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.9:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.22.2:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.22.3:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.12:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.22.4:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.11:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.22.5:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.13:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.14:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.22.6:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.22.7:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.22.8:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.23.0:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.15:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.16:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.23.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.17:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.23.3:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.18:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.22.9:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.23.2:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.22.10:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-7199
0.23%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 61 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-7199
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2014-7199
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-7199
-
http://www.debian.org/security/2014/dsa-3036
Debian -- Security Information -- DSA-3036-1 mediawiki
-
https://gerrit.wikimedia.org/r/#/c/162777/
Change I732eece7: SECURITY: Enhance CSS filtering in SVG files | gerrit.wikimedia Code Review
-
http://www.openwall.com/lists/oss-security/2014/09/27/2
oss-security - Re: CVE request: Mediawiki before 1.19.19, 1.22.11 and 1.23.4 insufficient CSS filtering of SVGs
-
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-September/000161.html
[MediaWiki-announce] MediaWiki Security and Maintenance Releases: 1.19.19, 1.22.11 and 1.23.4Patch
-
https://bugzilla.wikimedia.org/show_bug.cgi?id=69008
⚓ T71008 Upload should disallow SVGs with third-party content in style elements (not just style attributes)Patch
Jump to