CVE-2014-3966

Published: Jun 6, 2014Modified: May 6, 2026

2.6

Vector

AV:N/AC:H/Au:N/C:N/I:P/A:N

Exploitability: 4.9 / Impact: 2.9

Source: NVD

Description

Cross-site scripting (XSS) vulnerability in Special:PasswordReset in MediaWiki before 1.19.16, 1.21.x before 1.21.10, and 1.22.x before 1.22.7, when wgRawHtml is enabled, allows remote attackers to inject arbitrary web script or HTML via an invalid username.

Affected (33)

Products: Mediawiki: Mediawiki

Mediawiki

1 product

Mediawiki

Configuration A

16 vulnerable

Vulnerable Software	Affected Versions
Mediawiki Mediawiki	Up to 1.19.15
Mediawiki Mediawiki	Version 1.19.0
Mediawiki Mediawiki	Version 1.19.10
Mediawiki Mediawiki	Version 1.19.11
Mediawiki Mediawiki	Version 1.19.12
Mediawiki Mediawiki	Version 1.19.13
Mediawiki Mediawiki	Version 1.19.14
Mediawiki Mediawiki	Version 1.19.1
Mediawiki Mediawiki	Version 1.19.2
Mediawiki Mediawiki	Version 1.19.3
Mediawiki Mediawiki	Version 1.19.4
Mediawiki Mediawiki	Version 1.19.5
Mediawiki Mediawiki	Version 1.19.6
Mediawiki Mediawiki	Version 1.19.7
Mediawiki Mediawiki	Version 1.19.8
Mediawiki Mediawiki	Version 1.19.9

Configuration B

7 vulnerable

Vulnerable Software	Affected Versions
Mediawiki Mediawiki	Version 1.22.0
Mediawiki Mediawiki	Version 1.22.1
Mediawiki Mediawiki	Version 1.22.2
Mediawiki Mediawiki	Version 1.22.3
Mediawiki Mediawiki	Version 1.22.4
Mediawiki Mediawiki	Version 1.22.5
Mediawiki Mediawiki	Version 1.22.6

Configuration C

10 vulnerable

Vulnerable Software	Affected Versions
Mediawiki Mediawiki	Version 1.21.1
Mediawiki Mediawiki	Version 1.21.2
Mediawiki Mediawiki	Version 1.21.3
Mediawiki Mediawiki	Version 1.21.4
Mediawiki Mediawiki	Version 1.21.5
Mediawiki Mediawiki	Version 1.21.6
Mediawiki Mediawiki	Version 1.21.7
Mediawiki Mediawiki	Version 1.21.8
Mediawiki Mediawiki	Version 1.21.9
Mediawiki Mediawiki	Version 1.21