CVE-2014-9475 — mediawiki - security update

Description

Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.19.23, 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote authenticated users to inject arbitrary web script or HTML via a wikitext message.

How to fix CVE-2014-9475

To remediate CVE-2014-9475, upgrade the affected package to a fixed version below.

Debian/mediawiki—upgrade to 1:1.19.20+dfsg-2.2 or later
Debian/mediawiki—upgrade to 1:1.19.20+dfsg-0+deb7u3 or later

Is CVE-2014-9475 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1:1.19.20+dfsg-2.2
from 0, < 1:1.19.20+dfsg-0+deb7u3

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-9475