mediawiki/core is vulnerable to cross-site scriptingattacks. The library does not properly escape characters in contributions-title
message in SpecialContributions.php
which is used as a page title, allowing an attacker to inject and execute malicious javascript through harmful HTML entities.
github.com/wikimedia/mediawiki/commit/4310eae71eebd8cc6b415af14bcda0c84f497633
github.com/wikimedia/mediawiki/commit/66f9ea7e9d5d69587fc1794d0cf4b719028b3a72
lists.debian.org/debian-lts-announce/2022/09/msg00027.html
lists.fedoraproject.org/archives/list/[email protected]/message/7N5ZBWLNNPZKFK7Q4KEHGCJ2YELQEUJP/
lists.fedoraproject.org/archives/list/[email protected]/message/DKKOQXPYLMBSEVDHFS32BPBR3ZQJKY5B/
phabricator.wikimedia.org/T308473
security.gentoo.org/glsa/202305-24
www.debian.org/security/2022/dsa-5246