Description
MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/media/DjVu.php; (2) the w parameter (aka width field) to thumb.php, which is not properly handled by includes/media/PdfHandler_body.php; and possibly unspecified vectors in (3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php.
Remediation
References
Related Vulnerabilities
WordPress Plugin Tutor LMS Elementor Addons Cross-Site Scripting (2.1.3)
GlassFish CVE-2017-10393 Vulnerability (CVE-2017-10393)
PHP Improper Input Validation Vulnerability (CVE-2016-7417)
WordPress Plugin aoringo CAT setter Cross-Site Scripting (0.1.1)
WordPress Plugin Social Rocket-Social Sharing Cross-Site Request Forgery (1.2.9)