VDB
CVE-2014-1610
CVE-2014-1610
REJECTED
MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/media/DjVu.php; (2) the w parameter (aka width field) to thumb.php, which is not properly handled by includes/media/PdfHandler_body.php; and possibly unspecified vectors in (3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php.
EPSS 48.04% · 97.8th percentile
Risk Scores
EPSS Score
48.04%
97.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:14.04:LTS | mediawiki | 0, 1:1.19.8+dfsg-1, 1:1.19.8+dfsg-2 |
Exploit Intelligence
- CIRCL seen: CVE-2014-1610 (circl-sighting)
- CIRCL seen: CVE-2014-1610 (circl-sighting)
- CIRCL seen: CVE-2014-1610 (circl-sighting)
- DSA-2891 (circl)
- 56695 (circl)
- 57472 (circl)
- https://gerrit.wikimedia.org/r/#/c/110215/ (circl)
- http://www.checkpoint.com/threatcloud-central/articles/2014-01-28-tc-researchers-discover.html (circl)
- [MediaWiki-announce] 20140128 MediaWiki Security Releases: 1.22.2, 1.21.5 and 1.19.11 (circl)
- 1029707 (circl)
…and 21 more exploits
Timeline
- Feb 2, 2014 PoC Published
- Feb 20, 2014 PoC Published
- Feb 22, 2014 PoC Published
- May 29, 2018 PoC Published
- Feb 4, 2022 EPSS Score
- Jul 15, 2022 EPSS Score
- Apr 16, 2023 EPSS Score
- Jun 6, 2023 EPSS Score
- Aug 17, 2024 EPSS Score
- Feb 6, 2025 PoC Published
- Feb 23, 2025 PoC Published
- Mar 17, 2025 EPSS Score
References
- https://ubuntu.com/security/CVE-2014-1610 third-party-advisory
- https://gerrit.wikimedia.org/r/#/c/110215/ third-party-advisory
- https://gerrit.wikimedia.org/r/#/c/110069/2/includes/media/Bitmap.php third-party-advisory
- https://gerrit.wikimedia.org/r/#/c/110069/ third-party-advisory
- https://bugzilla.wikimedia.org/show_bug.cgi?id=60339 third-party-advisory
- https://bugzilla.wikimedia.org/attachment.cgi?id=14384&action=diff third-party-advisory
- https://bugzilla.wikimedia.org/attachment.cgi?id=14361&action=diff third-party-advisory
- http://secunia.com/advisories/56695 third-party-advisory
- http://osvdb.org/102630 third-party-advisory
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000140.html third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2014-1610 third-party-advisory