Description

Cross-site request forgery (CSRF) vulnerability in the Special:ExpandedTemplates page in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgRawHTML is set to true, allows remote attackers to hijack the authentication of users with edit permissions for requests that cross-site scripting (XSS) attacks via the wpInput parameter, which is not properly handled in the preview.

Remediation

References

CVE-2014-9276

Related Vulnerabilities

Zenphoto Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2010-4906)

ZenCart Inclusion of Functionality from Untrusted Control Sphere Vulnerability (CVE-2024-5762)

Drupal Other Vulnerability (CVE-2006-5477)

WordPress Plugin Top 10-Popular posts for WordPress Cross-Site Request Forgery (1.9.2)

WordPress Plugin YouSayToo auto-publishing 'submit' Parameter Cross-Site Scripting (1.0.1)

Severity

Medium

Classification

CVE-2014-9276 CWE-352

Tags

Missing Update Known Vulnerabilities