Veracode Vulnerability DatabaseVERACODE:41072Cross-Site Scripting (XSS)
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
42.3%
mediawiki/core is vulnerable to Cross-Site Scripting (XSS). The vulnerability exits due to a lack of message sanitization in BlockLogFormatter.php, which allows an attacker to inject and execute arbitrary JavaScript into the browser.
References
github.com/wikimedia/mediawiki/commit/162e1f2ab7907eebd557ba613c34cf7701a274a1
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2UIVGYECQGTUC2LLPVCZBPDLCTOHL2F6/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CHRX6DSLAMVXCV2YMJEWOLTBEYSESE5/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DOAXEGYBOEM4JWB4J3BDH73NK2LCYC3O/
lists.fedoraproject.org/archives/list/[email protected]/message/2UIVGYECQGTUC2LLPVCZBPDLCTOHL2F6/
lists.fedoraproject.org/archives/list/[email protected]/message/6CHRX6DSLAMVXCV2YMJEWOLTBEYSESE5/
lists.fedoraproject.org/archives/list/[email protected]/message/DOAXEGYBOEM4JWB4J3BDH73NK2LCYC3O/
phabricator.wikimedia.org/T332889
www.debian.org/security/2023/dsa-5447
www.mediawiki.org/wiki/Release_notes/1.40#Other_changes_in_1.40
Related
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
42.3%