vulnerability
MediaWiki: Improper Restriction of XML External Entity Reference (CVE-2014-9487)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Oct 17, 2017 | Oct 23, 2019 | Apr 7, 2026 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Oct 17, 2017
Added
Oct 23, 2019
Modified
Apr 7, 2026
Description
The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. NOTE: Related to CVE-2014-2053.
Solution
mediawiki-upgrade-latest
References
- CVE-2014-9487
- https://attackerkb.com/topics/CVE-2014-9487
- CWE-611
- EUVD-EUVD-2014-9306
- http://www.openwall.com/lists/oss-security/2015/01/03/13
- https://bugzilla.redhat.com/show_bug.cgi?id=1175828
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2014-9306
- https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html
- https://security.gentoo.org/glsa/201502-04
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.