CVE-2014-5241 — MEDIUM (6.8)

Q: How severe is CVE-2014-5241?

CVE-2014-5241 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2014-5241?

Check the references section above for vendor advisories and patch information. Affected products include: Mediawiki Mediawiki.

Vulnerability Description

The JSONP endpoint in includes/api/ApiFormatJson.php in MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with a restricted character set.

CVSS Score

6.8

MEDIUM

AV:N/AC:M/Au:N/C:P/I:P/A:P

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Mediawiki	Mediawiki	<= 1.19.17

Related Weaknesses (CWE)

CWE-352

References

FAQ

What is CVE-2014-5241?

CVE-2014-5241 is a vulnerability with a CVSS score of 6.8 (MEDIUM). The JSONP endpoint in includes/api/ApiFormatJson.php in MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 accepts certain long callback values and does not restri...

How severe is CVE-2014-5241?

CVE-2014-5241 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-5241?

Check the references section above for vendor advisories and patch information. Affected products include: Mediawiki Mediawiki.