GHSA-h8qx-mj6v-2934

Source

https://github.com/advisories/GHSA-h8qx-mj6v-2934

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h8qx-mj6v-2934/GHSA-h8qx-mj6v-2934.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-h8qx-mj6v-2934

Aliases

Published

2022-05-24T17:29:42Z

Modified

2024-05-19T02:23:56.439540Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

MediaWiki Cross-site Scripting (XSS) vulnerability

Details

An issue was discovered in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. The non-jqueryMsg version of mw.message().parse() doesn't escape HTML. This affects both message contents (which are generally safe) and the parameters (which can be based on user input). (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents, and escapes all parameters. Situations with an unloaded jqueryMsg are rare in practice, but can for example occur for Special:SpecialPages on a wiki with no extensions installed.)

References

Affected packages

Packagist / mediawiki/core

Package

Name: mediawiki/core
Purl: pkg:composer/mediawiki/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.31.0

Fixed

1.31.9

Affected versions

1.*

1.31.0

1.31.1

1.31.2

1.31.3

1.31.4

1.31.5

1.31.6

1.31.7

1.31.8

Packagist / mediawiki/core

Package

Name: mediawiki/core
Purl: pkg:composer/mediawiki/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.32.0

Fixed

1.34.3

Affected versions

1.*

1.32.0

1.32.1

1.32.2

1.32.3

1.32.4

1.32.5

1.32.6

1.33.0-rc.0

1.33.0

1.33.1

1.33.2

1.33.3

1.33.4

1.34.0-rc.0

1.34.0-rc.1

1.34.0

1.34.1

1.34.2

Packagist / mediawiki/core

Package

Name: mediawiki/core
Purl: pkg:composer/mediawiki/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.35.0-rc.0

Fixed

1.35.0

Affected versions

1.*

1.35.0-rc.0

1.35.0-rc.1

1.35.0-rc.2

1.35.0-rc.3