Summary
This host is installed with Hovercards extension
for MediaWiki and is prone to cross-site scripting vulnerability.
Impact
Successful exploitation will allow
remote attacker to execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
Impact Level: Application
Solution
Upgrade to Hovercards extension version 1.24
or later. For updates refer to http://www.mediawiki.org/wiki/Special:ExtensionDistributor/Popups
Insight
The flaw exist as input passed via
text parameter to the 'Extension:Popups'. script is not validated before returning it to users.
Affected
Hovercards extension version before 1.24 for Mediawiki
Detection
Send a crafted HTTP POST request
and check whether it is able to read cookie or not.
References
Severity
Classification
-
CVE CVE-2014-9480 -
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Related Vulnerabilities
- Abtp Portal Project 'ABTPV_BLOQUE_CENT' Parameter Local and Remote File Include Vulnerabilities
- An Image Gallery Multiple Cross-Site Scripting Vulnerability
- 1024 CMS 1.1.0 Beta 'force_download.php' Local File Include Vulnerability
- Apache Solr XML External Entity(XXE) Vulnerability-01 Jan-14
- Apache Tomcat 'sendfile' Request Attributes Information Disclosure Vulnerability