CVE-2013-2031 — Cross-site Scripting in Mediawiki

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

1.6%

top 18.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mediawiki Debian Mediawiki

Timeline

PublishedNov 18

Latest updateMay 17

Description

MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by a CDATA section containing valid UTF-7 encoded sequences in a SVG file, which is then incorrectly interpreted as UTF-8 by Chrome and Firefox.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/mediawiki< mediawiki 1:1.19.6-1 (bookworm)

▶Debianmediawiki/mediawiki< 1:1.19.6-1+3

▶NVDmediawiki/mediawiki1.19.5+52

Patches

Patch: lists.wikimedia.org ↗Patch: lists.wikimedia.org ↗

🔴Vulnerability Details

GHSA

GHSA-47j7-228r-59cw: MediaWiki before 1↗2022-05-17

▶

OSV

CVE-2013-2031: MediaWiki before 1↗2013-11-18

▶

📋Vendor Advisories

Debian

CVE-2013-2031: mediawiki - MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote attackers to cond...↗2013

▶

💬Community

Bugzilla

CVE-2013-2031 CVE-2013-2032 mediawiki: security releases 1.20.5 and 1.19.6↗2013-04-30

▶