Description
MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/media/DjVu.php; (2) the w parameter (aka width field) to thumb.php, which is not properly handled by includes/media/PdfHandler_body.php; and possibly unspecified vectors in (3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php.
Remediation
References
Related Vulnerabilities
Oracle JRE CVE-2018-2796 Vulnerability (CVE-2018-2796)
Drupal Core 8.9.0 Cross-Site Request Forgery (8.9.0)
Drupal Core 6.x Information Disclosure (6.0 - 6.30)
osTicket Integer Overflow or Wraparound Vulnerability (CVE-2018-7194)
WordPress Plugin Jetpack-WP Security, Backup, Speed, & Growth Cross-Site Scripting (3.9.1)