Cross-site scripting (XSS) vulnerability in the preview in the TemplateSandbox extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via the text parameter to Special:TemplateSandbox.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9479
Reference (s):
- https://phabricator.wikimedia.org/T76195
- MLIST:[MediaWiki-announce] 20141217 MediaWiki Security and Maintenance Releases: 1.24.1, 1.23.8, 1.22.15 and 1.19.23
- URL: https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html
- MLIST:[oss-security] 20141221 CVE Request: Mediawiki security releases 1.24.1, 1.23.8, 1.22.15 and 1.19.23
- URL: http://www.openwall.com/lists/oss-security/2014/12/21/2