CVE-2014-9507
UnknownEPSS 0.95%
Last modified
CVE-2014-9507 is a vulnerability of currently unknown severity. MediaWiki 1.21.x, 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgContentHandlerUseDB is enabled, allows remote attackers to conduct cross-site scripting (XSS) attacks by setting the content model for a revision to JS.. EPSS estimates a 0.95% chance of exploitation in the next 30 days.
Description
MediaWiki 1.21.x, 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgContentHandlerUseDB is enabled, allows remote attackers to conduct cross-site scripting (XSS) attacks by setting the content model for a revision to JS.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Mediawiki | Mediawiki | <= 1.19.21 |
| Mediawiki | Mediawiki | 1.20 |
| Mediawiki | Mediawiki | 1.20.1 |
| Mediawiki | Mediawiki | 1.20.2 |
| Mediawiki | Mediawiki | 1.20.3 |
| Mediawiki | Mediawiki | 1.20.4 |
| Mediawiki | Mediawiki | 1.20.5 |
| Mediawiki | Mediawiki | 1.20.6 |
| Mediawiki | Mediawiki | 1.20.7 |
| Mediawiki | Mediawiki | 1.20.8 |
| Mediawiki | Mediawiki | 1.21 |
| Mediawiki | Mediawiki | 1.21.1 |
| Mediawiki | Mediawiki | 1.21.2 |
| Mediawiki | Mediawiki | 1.21.3 |
| Mediawiki | Mediawiki | 1.21.4 |
| Mediawiki | Mediawiki | 1.21.5 |
| Mediawiki | Mediawiki | 1.21.6 |
| Mediawiki | Mediawiki | 1.21.7 |
| Mediawiki | Mediawiki | 1.21.8 |
| Mediawiki | Mediawiki | 1.21.9 |
| Mediawiki | Mediawiki | 1.21.10 |
| Mediawiki | Mediawiki | 1.21.11 |
| Mediawiki | Mediawiki | 1.22.0 |
| Mediawiki | Mediawiki | 1.22.1 |
| Mediawiki | Mediawiki | 1.22.2 |
| Mediawiki | Mediawiki | 1.22.3 |
| Mediawiki | Mediawiki | 1.22.4 |
| Mediawiki | Mediawiki | 1.22.5 |
| Mediawiki | Mediawiki | 1.22.6 |
| Mediawiki | Mediawiki | 1.22.7 |
| Mediawiki | Mediawiki | 1.22.8 |
| Mediawiki | Mediawiki | 1.22.10 |
| Mediawiki | Mediawiki | 1.22.11 |
| Mediawiki | Mediawiki | 1.22.12 |
| Mediawiki | Mediawiki | 1.22.13 |
| Mediawiki | Mediawiki | 1.23.0 |
| Mediawiki | Mediawiki | 1.23.1 |
| Mediawiki | Mediawiki | 1.23.2 |
| Mediawiki | Mediawiki | 1.23.3 |
| Mediawiki | Mediawiki | 1.23.4 |
| Mediawiki | Mediawiki | 1.23.5 |
| Mediawiki | Mediawiki | 1.23.6 |
References
- https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-November/000170.htmlPatch, Vendor Advisory
- https://phabricator.wikimedia.org/T72901Vendor Advisory
- https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-November/000170.htmlPatch, Vendor Advisory
- https://phabricator.wikimedia.org/T72901Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2014-9507?
MediaWiki 1.21.x, 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgContentHandlerUseDB is enabled, allows remote attackers to conduct cross-site scripting (XSS) attacks by setting the content model for a revision to JS.
How severe is CVE-2014-9507?
Severity scoring for CVE-2014-9507 is pending analysis. The EPSS model estimates a 0.95% probability of exploitation in the next 30 days.
How do I fix CVE-2014-9507?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2014-9507?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST