CVE-2019-12471 — Cross-site Scripting in Mediawiki

CWE-79 — Cross-site Scripting5 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.4%

top 41.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mediawiki Mediawiki Core Debian Mediawiki +1 more

Timeline

PublishedJul 10

Latest updateMay 24

Description

Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from a non-existent account allows anyone to create the account, and perform XSS on users loading that script. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶Packagistmediawiki/core1.27.0 — 1.27.6+2

▶debiandebian/mediawiki< mediawiki 1:1.31.2-1 (bookworm)

▶NVDmediawiki/mediawiki1.30.0 — 1.30.2+2

▶Debianmediawiki/mediawiki< 1:1.31.2-1+3

Also affects: Debian Linux 9.0

Patches

Patch: lists.wikimedia.org ↗Patch: lists.wikimedia.org ↗

🔴Vulnerability Details

OSV

MediaWiki Cross-site Scripting (XSS)↗2022-05-24

▶

GHSA

MediaWiki Cross-site Scripting (XSS)↗2022-05-24

▶

OSV

CVE-2019-12471: Wikimedia MediaWiki 1↗2019-07-10

▶

📋Vendor Advisories

Debian

CVE-2019-12471: mediawiki - Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from ...↗2019

▶