CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
20.6%
WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. On Special:WikiDiscover, the Language::date
function is used when making the human-readable timestamp for inclusion on the wiki_creation column. This function uses interface messages to translate the names of months and days. It uses the ->text()
output mode, returning unescaped interface messages. Since the output is not escaped later, the unescaped interface message is included on the output, resulting in an XSS vulnerability. Exploiting this on-wiki requires the (editinterface)
right. This vulnerability has been addressed in commit 267e763a0
. Users are advised to update their installations. There are no known workarounds for this vulnerability.
Vendor | Product | Version | CPE |
---|---|---|---|
miraheze | wikidiscover | * | cpe:2.3:a:miraheze:wikidiscover:*:*:*:*:*:*:*:* |
[
{
"vendor": "miraheze",
"product": "WikiDiscover",
"versions": [
{
"version": "< 267e763a0d7",
"status": "affected"
}
]
}
]