Lucene search

GitHub_MCVELIST:CVE-2022-21710

HistoryJan 24, 2022 - 7:45 p.m.

CVE-2022-21710 Cross-site Scripting in ShortDescription extension

2022-01-2419:45:10

CWE-79

GitHub_M

www.cve.org

cve-2022-21710

cross-site scripting

shortdescription extension

mediawiki

xss

vulnerability

patch

CVSS3

4.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

EPSS

0.001

Percentile

35.9%

JSON

ShortDescription is a MediaWiki extension that provides local short description support. A cross-site scripting (XSS) vulnerability exists in versions prior to 2.3.4. On a wiki that has the ShortDescription enabled, XSS can be triggered on any page or the page with the action=info parameter, which displays the shortdesc property. This is achieved using the wikitext {{SHORTDESC:<img src=x onerror=alert()>}}. This issue has a patch in version 2.3.4.

CNA Affected

[
  {
    "product": "mediawiki-extensions-ShortDescription",
    "vendor": "StarCitizenTools",
    "versions": [
      {
        "status": "affected",
        "version": "< 2.3.4"
      }
    ]
  }
]

References

github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/commit/7c86644158388620c6c858258cc4e1a8de6e48ea

github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/commit/bf568edd892adb8528dcb64f75dddf3eeaccc12c

github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/security/advisories/GHSA-mgcp-qw2r-6832

CVSS3

4.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

EPSS

0.001

Percentile

35.9%

JSON

Related for CVELIST:CVE-2022-21710