Vulnerability Details : CVE-2014-7295
The (1) Special:Preferences and (2) Special:UserLogin pages in MediaWiki before 1.19.20, 1.22.x before 1.22.12 and 1.23.x before 1.23.5 allows remote authenticated users to conduct cross-site scripting (XSS) attacks or have unspecified other impact via crafted CSS, as demonstrated by modifying MediaWiki:Common.css.
Vulnerability category: Cross site scripting (XSS)
Exploit prediction scoring system (EPSS) score for CVE-2014-7295
Probability of exploitation activity in the next 30 days: 0.14%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 49 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-7295
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST |
CWE ids for CVE-2014-7295
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-7295
-
http://www.securityfocus.com/bid/70238
Mediawiki 'OutputPage.php' Cross Site Scripting Vulnerability
-
http://www.debian.org/security/2014/dsa-3046
Debian -- Security Information -- DSA-3046-1 mediawiki
-
https://bugzilla.wikimedia.org/show_bug.cgi?id=70672
⚓ T72672 User specified CSS loads on Special:Preferences / Special:UserLoginPatch
-
http://seclists.org/oss-sec/2014/q4/67
oss-sec: Re: CVE request: Mediawiki before 1.19.20, 1.22.12, 1.23.5 XSS through CSS
-
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-October/000163.html
[MediaWiki-announce] MediaWiki Security and Maintenance Releases: 1.19.20, 1.22.12 and 1.23.5
Products affected by CVE-2014-7295
- cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19:beta_2:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19:beta_1:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.0:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.2:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.5:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.3:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.7:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.6:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.4:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.8:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.22.0:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.10:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.22.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.9:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.22.2:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.22.3:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.12:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.22.4:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.11:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.22.5:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.13:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.14:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.22.6:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.22.7:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.22.8:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.23.0:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.15:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.16:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.23.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.17:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.23.3:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.18:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.22.9:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.23.2:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.22.10:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.22.11:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.23.4:*:*:*:*:*:*:*