includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 does not prevent use of invalid namespaces in SVG files, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an SVG upload, as demonstrated by use of a W3C XHTML namespace in conjunction with an IFRAME element.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2014-03-02T02:00:00
Updated: 2024-08-06T10:06:00.324Z
Reserved: 2014-02-28T00:00:00
Link: CVE-2014-2242
Vulnrichment
No data.
NVD
Status : Modified
Published: 2014-03-02T04:57:25.887
Modified: 2024-11-21T02:05:54.747
Link: CVE-2014-2242
Redhat
No data.