Description

MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/media/DjVu.php; (2) the w parameter (aka width field) to thumb.php, which is not properly handled by includes/media/PdfHandler_body.php; and possibly unspecified vectors in (3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php.

Remediation

References

CVE-2014-1610

Related Vulnerabilities

Jboss EAP Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-10688)

Joomla! Core 1.5.x Information Disclosure (1.5.0 - 1.5.15)

WordPress Plugin Feed Them Social-for Twitter feed, Youtube and more PHAR Deserialization (2.9.8.5)

WordPress Plugin Super Forms-Drag & Drop Form Builder Arbitrary File Upload (4.9.700)

Joomla Improper Input Validation Vulnerability (CVE-2015-8564)

Severity

Medium

Classification

CVE-2014-1610 CWE-20

Tags

Missing Update Known Vulnerabilities