GHSA-pfm2-mqwj-ggm5

Suggest an improvement
Source
https://github.com/advisories/GHSA-pfm2-mqwj-ggm5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pfm2-mqwj-ggm5/GHSA-pfm2-mqwj-ggm5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-pfm2-mqwj-ggm5
Aliases
Published
2022-05-24T17:13:21Z
Modified
2024-04-01T20:11:58.751725Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
MediaWiki makeCollapsible allows applying event handler to any CSS selector
Details

In MediaWiki before 1.34.1, users can add various Cascading Style Sheets (CSS) classes (which can affect what content is shown or hidden in the user interface) to arbitrary DOM nodes via HTML content within a MediaWiki page. This occurs because jquery.makeCollapsible allows applying an event handler to any Cascading Style Sheets (CSS) selector. There is no known way to exploit this for cross-site scripting (XSS).

References

Affected packages

Packagist / mediawiki/core

Package

Name
mediawiki/core
Purl
pkg:composer/mediawiki/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.31.0
Fixed
1.31.7

Affected versions

1.*

1.31.0
1.31.1
1.31.2
1.31.3
1.31.4
1.31.5
1.31.6

Packagist / mediawiki/core

Package

Name
mediawiki/core
Purl
pkg:composer/mediawiki/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.33.0
Fixed
1.33.3

Affected versions

1.*

1.33.0
1.33.1
1.33.2

Packagist / mediawiki/core

Package

Name
mediawiki/core
Purl
pkg:composer/mediawiki/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.34.0
Fixed
1.34.1

Affected versions

1.*

1.34.0