VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 22, 2014· Updated May 6, 2026

CVE-2014-5243

CVE-2014-5243

Description

MediaWiki does not enforce clickjacking protection for transcluded pages, enabling iframe-based clickjacking attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MediaWiki does not enforce clickjacking protection for transcluded pages, enabling iframe-based clickjacking attacks.

Vulnerability

MediaWiki versions before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 fail to propagate the mPreventClickjacking flag from OutputPage to ParserOutput when transcluding pages (e.g., special pages included via `` or similar). This allows an attacker to embed these pages in iframes without restriction [2][3].

Exploitation

An attacker can host a malicious website that includes a MediaWiki transcluded page (such as a special page) in an iframe. No authentication or special network position is required; the user must simply visit the attacker's site. The absence of clickjacking protection means the attacker can overlay deceptive UI elements to trick the user into performing actions on the MediaWiki site [3].

Impact

Successful exploitation enables clickjacking attacks, where the victim may unintentionally execute actions on the MediaWiki site—such as editing pages, changing settings, or revealing private information—under the attacker's control. The attacker achieves arbitrary user actions within the context of the victim's session [2][4].

Mitigation

Upgrade to MediaWiki 1.19.18, 1.22.9, or 1.23.2, which include the fix that copies the mPreventClickjacking flag between OutputPage and ParserOutput [2]. If immediate upgrade is not possible, deploying Content Security Policy (CSP) headers that restrict framing can serve as a workaround. No known KEV listing [4].

References
  1. [MediaWiki-announce] MediaWiki Security and Maintenance Releases: 1.19.18, 1.22.9 and 1.23.2 - MediaWiki-announce
  2. T67778 When special pages are included, OutputPage::$mPreventClickjacking is not respected
  3. Mageia Advisory: MGASA-2014-0309 - Updated mediawiki packages fix security vulnerabilities

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

51
  • MediaWiki/Mediawiki51 versions
    cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*+ 50 more
    • cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*range: <=1.19.17
    • cpe:2.3:a:mediawiki:mediawiki:1.19:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.19.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.19.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.19.10:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.19.11:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.19.12:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.19.13:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.19.14:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.19.15:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.19.16:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.19.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.19.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.19.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.19.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.19.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.19.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.19.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.19.9:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.19:beta_1:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.19:beta_2:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.20.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.20.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.20.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.20.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.20.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.20.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.20.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.20.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.21.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.21.10:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.21.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.21.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.21.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.21.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.21.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.21.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.21.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.21.9:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.22.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.22.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.22.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.22.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.22.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.22.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.22.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.22.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.22.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.23.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.23.1:*:*:*:*:*:*:*
    • (no CPE)range: <1.19.18, 1.20-1.22 <1.22.9, 1.23 <1.23.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.