Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

MediaWiki Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2015-2934)

Description

MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 does not properly handle when the Zend interpreter xml_parse function does not expand entities, which allows remote attackers to inject arbitrary web script or HTML via a crafted SVG file.

Remediation

References

Related Vulnerabilities

WordPress Plugin Contextual Related Posts Cross-Site Request Forgery (1.8.6)

Drupal Core Multiple Vulnerabilities (8.0.0 - 9.1.15)

WordPress Plugin Bookly #1 WordPress Booking Plugin (Lite Version) Cross-Site Scripting (14.4)

Next.js Use of Weak Hash Vulnerability (CVE-2026-44582)

Drupal Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2008-3743)

Severity

Medium

Classification

CVE-2015-2934 CWE-707

Tags

Missing Update Known Vulnerabilities