MediaWiki is vulnerable to cross-site scripting. An attacker is able to inject and execute arbitrary Javascript in a user’s browser by creating a message with [javascript:payload xss]
as a jQuery object with mw.message().parse()
.
lists.fedoraproject.org/archives/list/[email protected]/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU6/
lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048480.html
lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048488.html
security-tracker.debian.org/tracker/CVE-2020-25814
www.mediawiki.org/wiki/ResourceLoader/Core_modules#mediawiki.jqueryMsg