CVE-2015-2939 - Vulnerability Details - OpenCVE

Cross-site scripting (XSS) vulnerability in the Scribunto extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via a function name, which is not properly handled in a Lua error backtrace.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mediawiki	Scribunto

Configuration 1 [-]

cpe:2.3:a:mediawiki:scribunto:-:*:*:*:*:mediawiki:*:*

No data.

References

Link	Providers
http://www.mandriva.com/security/advisories?name=MDVSA-2015:200
http://www.openwall.com/lists/oss-security/2015/04/01/1
http://www.openwall.com/lists/oss-security/2015/04/07/3
http://www.securityfocus.com/bid/73477
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html
https://phabricator.wikimedia.org/T85113
https://security.gentoo.org/glsa/201510-05

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-04-13T14:00:00

Updated: 2024-08-06T05:32:20.621Z

Reserved: 2015-04-07T00:00:00

Link: CVE-2015-2939

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2015-04-13T14:59:12.380

Modified: 2025-04-12T10:46:40.837

Link: CVE-2015-2939

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-03-31T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the Scribunto extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via a function name, which is not properly handled in a Lua error backtrace."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-12-05T21:57:02", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "GLSA-201510-05", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201510-05"}, {"name": "MDVSA-2015:200", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:200"}, {"name": "73477", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/73477"}, {"name": "[oss-security] 20150407 Re: CVE request: MediaWiki 1.24.2/1.23.9/1.19.24", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/04/07/3"}, {"name": "[oss-security] 20150331 CVE request: MediaWiki 1.24.2/1.23.9/1.19.24", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/04/01/1"}, {"name": "[MediaWiki-announce] 20150331 MediaWiki Security and Maintenance Releases: 1.19.24, 1.23.9, and 1.24.2", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://phabricator.wikimedia.org/T85113"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-2939", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site scripting (XSS) vulnerability in the Scribunto extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via a function name, which is not properly handled in a Lua error backtrace."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "GLSA-201510-05", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201510-05"}, {"name": "MDVSA-2015:200", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:200"}, {"name": "73477", "refsource": "BID", "url": "http://www.securityfocus.com/bid/73477"}, {"name": "[oss-security] 20150407 Re: CVE request: MediaWiki 1.24.2/1.23.9/1.19.24", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/04/07/3"}, {"name": "[oss-security] 20150331 CVE request: MediaWiki 1.24.2/1.23.9/1.19.24", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/04/01/1"}, {"name": "[MediaWiki-announce] 20150331 MediaWiki Security and Maintenance Releases: 1.19.24, 1.23.9, and 1.24.2", "refsource": "MLIST", "url": "https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html"}, {"name": "https://phabricator.wikimedia.org/T85113", "refsource": "CONFIRM", "url": "https://phabricator.wikimedia.org/T85113"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T05:32:20.621Z"}, "title": "CVE Program Container", "references": [{"name": "GLSA-201510-05", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201510-05"}, {"name": "MDVSA-2015:200", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:200"}, {"name": "73477", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/73477"}, {"name": "[oss-security] 20150407 Re: CVE request: MediaWiki 1.24.2/1.23.9/1.19.24", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/04/07/3"}, {"name": "[oss-security] 20150331 CVE request: MediaWiki 1.24.2/1.23.9/1.19.24", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/04/01/1"}, {"name": "[MediaWiki-announce] 20150331 MediaWiki Security and Maintenance Releases: 1.19.24, 1.23.9, and 1.24.2", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://phabricator.wikimedia.org/T85113"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-2939", "datePublished": "2015-04-13T14:00:00", "dateReserved": "2015-04-07T00:00:00", "dateUpdated": "2024-08-06T05:32:20.621Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mediawiki:scribunto:-:*:*:*:*:mediawiki:*:*", "matchCriteriaId": "111D168C-1F5E-44F7-82DF-357B56102FE6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the Scribunto extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via a function name, which is not properly handled in a Lua error backtrace."}, {"lang": "es", "value": "Vulnerabilidad de XSS en la extensi\u00f3n Scribunto para MediaWiki permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del nombre de una funci\u00f3n, lo cual no est\u00e1 manejado correctamente en el la traza de error de Lua."}], "id": "CVE-2015-2939", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2015-04-13T14:59:12.380", "references": [{"source": "cve@mitre.org", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:200"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2015/04/01/1"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2015/04/07/3"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/73477"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html"}, {"source": "cve@mitre.org", "url": "https://phabricator.wikimedia.org/T85113"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/201510-05"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:200"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2015/04/01/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2015/04/07/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/73477"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://phabricator.wikimedia.org/T85113"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/201510-05"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}