Description

MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/media/DjVu.php; (2) the w parameter (aka width field) to thumb.php, which is not properly handled by includes/media/PdfHandler_body.php; and possibly unspecified vectors in (3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php.

Remediation

References

CVE-2014-1610

Related Vulnerabilities

WordPress Plugin Gallery by BestWebSoft Cross-Site Scripting (4.4.9)

WordPress Plugin Ultimate Member-User Profile, Registration, Login, Member Directory, Content Restriction & Membership Unspecified Vulnerability (2.0.40)

ownCloud Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2013-1850)

MySQL CVE-2019-2879 Vulnerability (CVE-2019-2879)

WordPress Plugin WooCommerce PDF Invoices & Packing Slips Cross-Site Request Forgery (2.2.6)

Severity

Medium

Classification

CVE-2014-1610 CWE-20

Tags

Missing Update Known Vulnerabilities