QwikSec

Security Database

CVE

CWE

Training

CVE-2014-5241

Published: Aug 22, 2014

Modified: Aug 6, 2024

PUBLISHED

Description

The JSONP endpoint in includes/api/ApiFormatJson.php in MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with a restricted character set.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

[MediaWiki-announce] 20140730 MediaWiki Security and Maintenance Releases: 1.19.18, 1.22.9 and 1.23.2

mailing-list

x_refsource_MLIST

vendor-advisory

x_refsource_DEBIAN

vendor-advisory

x_refsource_MANDRIVA

third-party-advisory

x_refsource_SECUNIA

https://bugzilla.wikimedia.org/show_bug.cgi?id=68187

x_refsource_CONFIRM

[oss-security] 20140814 Re: Possible CVE Request: MediaWiki Security and Maintenance Releases: 1.19.18, 1.22.9 and 1.23.2

mailing-list

x_refsource_MLIST

http://advisories.mageia.org/MGASA-2014-0309.html

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

CVE-2014-5241 - Security Vulnerability | QwikSec