CVE-2024-34500

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-34500

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34500.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-34500

Aliases

Published

2024-05-05T19:15:07Z

Modified

2025-07-29T11:10:47.250517Z

Summary

[none]

Details

An issue was discovered in the UnlinkedWikibase extension in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. XSS can occur through an interface message. Error messages (in the $err var) are not escaped before being passed to Html::rawElement() in the getError() function in the Hooks class.

References

Affected packages

Git / github.com/wikimedia/mediawiki

Affected ranges

Type: GIT
Repo: https://github.com/wikimedia/mediawiki
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

3406e1b7d014d22f2a68237ebf447a88b5ac74ed

Affected versions

1.*

1.1.0

1.3.0beta1

1.39.0

1.39.0-rc.0

1.39.0-rc.1

1.39.1

1.39.2

1.39.3

1.39.4

1.39.5

1.5.0alpha1

1.5.0alpha2

1.5.0beta1

1.5.0beta2

1.5.0beta3

1.5.0beta4

1.6.0