Description

MediaWiki version older than 1.22.2, 1.21.5 and 1.19.11 are affected by a remote code execution vulnerability if file upload support for DjVu is enabled (natively supported by MediaWiki) or PDF file upload support is enabled (in combination with the PdfHandler extension). Neither file type is enabled by default in MediaWiki installations. If you are affected, we strongly urge you to update immediately.

Remediation

Update to the latest version of MediaWiki.

References

MediaWiki Security Releases: 1.22.2, 1.21.5 and 1.19.11

Related Vulnerabilities

WordPress Plugin Otter-Gutenberg Blocks-Page Builder for Gutenberg Editor & FSE PHAR Deserialization (2.2.5)

WordPress Plugin Zedity:The Easiest Way To Create Posts & Pages Cross-Site Scripting (2.5.0)

Liferay XMLRPC Blind SSRF

Joomla! Core 2.5.x Information Disclosure (2.5.0 - 2.5.9)

WordPress Plugin Yoast SEO Possible Remote Code Execution (9.1.0)

Severity

High

Classification

CVE-2014-1610 CWE-20 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Code Execution Configuration Missing Update