Description

MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/media/DjVu.php; (2) the w parameter (aka width field) to thumb.php, which is not properly handled by includes/media/PdfHandler_body.php; and possibly unspecified vectors in (3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php.

Remediation

References

CVE-2014-1610

Related Vulnerabilities

WordPress Plugin NextGEN Gallery-WordPress Gallery Multiple Cross-Site Scripting Vulnerabilities (2.1.20)

Jenkins Improper Handling of Inconsistent Structural Elements Vulnerability (CVE-2021-21640)

Joomla Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2008-5671)

Joomla Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-3057)

WordPress Plugin A.M.Y. Cross-Site Scripting (1.3.3)

Severity

Medium

Classification

CVE-2014-1610 CWE-20

Tags

Missing Update Known Vulnerabilities