CVE-2014-9487

high-risk
Published 2017-10-17

The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. NOTE: Related to CVE-2014-2053.

Do I need to act?

~
1.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (20)

Affected Vendors

Mediawiki

References (8)

Mailing List http://www.openwall.com/lists/oss-security/2015/01/03/13
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1175828
Vendor Advisory https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.ht...
Third Party Advisory https://security.gentoo.org/glsa/201502-04
Mailing List http://www.openwall.com/lists/oss-security/2015/01/03/13
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1175828
Vendor Advisory https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.ht...
Third Party Advisory https://security.gentoo.org/glsa/201502-04
61
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 3/34 · Minimal
Exposure 26/34 · High