CVE-2014-3966: XSS
First published: Fri Jun 06 2014(Updated: )
Cross-site scripting (XSS) vulnerability in Special:PasswordReset in MediaWiki before 1.19.16, 1.21.x before 1.21.10, and 1.22.x before 1.22.7, when wgRawHtml is enabled, allows remote attackers to inject arbitrary web script or HTML via an invalid username.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Wikimedia MediaWiki | <=1.19.15 | |
| Wikimedia MediaWiki | =1.19.0 | |
| Wikimedia MediaWiki | =1.19.1 | |
| Wikimedia MediaWiki | =1.19.2 | |
| Wikimedia MediaWiki | =1.19.3 | |
| Wikimedia MediaWiki | =1.19.4 | |
| Wikimedia MediaWiki | =1.19.5 | |
| Wikimedia MediaWiki | =1.19.6 | |
| Wikimedia MediaWiki | =1.19.7 | |
| Wikimedia MediaWiki | =1.19.8 | |
| Wikimedia MediaWiki | =1.19.9 | |
| Wikimedia MediaWiki | =1.19.10 | |
| Wikimedia MediaWiki | =1.19.11 | |
| Wikimedia MediaWiki | =1.19.12 | |
| Wikimedia MediaWiki | =1.19.13 | |
| Wikimedia MediaWiki | =1.19.14 | |
| Wikimedia MediaWiki | =1.22.0 | |
| Wikimedia MediaWiki | =1.22.1 | |
| Wikimedia MediaWiki | =1.22.2 | |
| Wikimedia MediaWiki | =1.22.3 | |
| Wikimedia MediaWiki | =1.22.4 | |
| Wikimedia MediaWiki | =1.22.5 | |
| Wikimedia MediaWiki | =1.22.6 | |
| Wikimedia MediaWiki | =1.21 | |
| Wikimedia MediaWiki | =1.21.1 | |
| Wikimedia MediaWiki | =1.21.2 | |
| Wikimedia MediaWiki | =1.21.3 | |
| Wikimedia MediaWiki | =1.21.4 | |
| Wikimedia MediaWiki | =1.21.5 | |
| Wikimedia MediaWiki | =1.21.6 | |
| Wikimedia MediaWiki | =1.21.7 | |
| Wikimedia MediaWiki | =1.21.8 | |
| Wikimedia MediaWiki | =1.21.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-May/000151.html
- http://secunia.com/advisories/58834
- http://secunia.com/advisories/58896
- http://www.debian.org/security/2014/dsa-2957
- http://www.openwall.com/lists/oss-security/2014/06/04/15
- http://www.securityfocus.com/bid/67787
- http://www.securitytracker.com/id/1030364
- https://bugzilla.wikimedia.org/show_bug.cgi?id=65501
Frequently Asked Questions
What is the severity of CVE-2014-3966?
CVE-2014-3966 has a medium severity level as it allows XSS attacks that can lead to unauthorized access or data manipulation.
How do I fix CVE-2014-3966?
To fix CVE-2014-3966, upgrade MediaWiki to version 1.19.16, 1.21.10, or 1.22.7 or later.
What versions of MediaWiki are affected by CVE-2014-3966?
CVE-2014-3966 affects MediaWiki versions before 1.19.16, 1.21.x before 1.21.10, and 1.22.x before 1.22.7.
What type of vulnerability is CVE-2014-3966?
CVE-2014-3966 is a cross-site scripting (XSS) vulnerability.
Can CVE-2014-3966 be exploited remotely?
Yes, CVE-2014-3966 can be exploited remotely by injecting arbitrary web scripts or HTML.
- agent/references
- agent/type
- agent/weakness
- agent/severity
- agent/remedy
- agent/author
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/mediawiki
- canonical/wikimedia mediawiki
- version/wikimedia mediawiki/1.19.15
- version/wikimedia mediawiki/1.19.0
- version/wikimedia mediawiki/1.19.1
- version/wikimedia mediawiki/1.19.2
- version/wikimedia mediawiki/1.19.3
- version/wikimedia mediawiki/1.19.4
- version/wikimedia mediawiki/1.19.5
- version/wikimedia mediawiki/1.19.6
- version/wikimedia mediawiki/1.19.7
- version/wikimedia mediawiki/1.19.8
- version/wikimedia mediawiki/1.19.9
- version/wikimedia mediawiki/1.19.10
- version/wikimedia mediawiki/1.19.11
- version/wikimedia mediawiki/1.19.12
- version/wikimedia mediawiki/1.19.13
- version/wikimedia mediawiki/1.19.14
- version/wikimedia mediawiki/1.22.0
- version/wikimedia mediawiki/1.22.1
- version/wikimedia mediawiki/1.22.2
- version/wikimedia mediawiki/1.22.3
- version/wikimedia mediawiki/1.22.4
- version/wikimedia mediawiki/1.22.5
- version/wikimedia mediawiki/1.22.6
- version/wikimedia mediawiki/1.21
- version/wikimedia mediawiki/1.21.1
- version/wikimedia mediawiki/1.21.2
- version/wikimedia mediawiki/1.21.3
- version/wikimedia mediawiki/1.21.4
- version/wikimedia mediawiki/1.21.5
- version/wikimedia mediawiki/1.21.6
- version/wikimedia mediawiki/1.21.7
- version/wikimedia mediawiki/1.21.8
- version/wikimedia mediawiki/1.21.9