CVE-2013-4303 — Cross-site Scripting in Mediawiki

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.6%

top 31.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mediawiki Debian Mediawiki Wikimedia Foundation Mediawiki

Timeline

PublishedDec 11

Latest updateMay 5

Description

includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶debiandebian/mediawiki< mediawiki 1:1.19.8+dfsg-1 (bookworm)

▶NVDmediawiki/mediawiki1.19.0 — 1.19.8+2

▶Debianmediawiki/mediawiki< 1:1.19.8+dfsg-1+3

▶CVEListV5wikimedia_foundation/mediawiki1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2+2

Patches

Patch: lists.wikimedia.org ↗Patch: bugzilla.wikimedia.org ↗Patch: lists.wikimedia.org ↗

🔴Vulnerability Details

GHSA

GHSA-rxq7-cw42-v5ch: includes/libs/IEUrlExtension↗2022-05-05

▶

OSV

CVE-2013-4303: includes/libs/IEUrlExtension↗2019-12-11

▶

📋Vendor Advisories

Debian

CVE-2013-4303: mediawiki - includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before...↗2013

▶

💬Community

Bugzilla

CVE-2013-4301 CVE-2013-4302 CVE-2013-4303 mediawiki: security releases 1.21.2, 1.20.7, and 1.19.8↗2013-09-04

▶