CVE-2021-30458Cross-site Scripting in Parsoid

CWE-79Cross-site Scripting5 documents4 sources
Severity
6.1MEDIUMNVD
EPSS
0.4%
top 41.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
MediawikiWikimedia ParsoidDebian Mediawiki
Timeline
PublishedApr 9
Latest updateMay 24

Description

An issue was discovered in Wikimedia Parsoid before 0.11.1 and 0.12.x before 0.12.2. An attacker can send crafted wikitext that Utils/WTUtils.php will transform by using a tag, bypassing sanitization steps, and potentially allowing for XSS.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

NVDwikimedia/parsoid0.12.00.12.2+1
Packagistwikimedia/parsoid0.120.12.2+1
debiandebian/mediawiki< mediawiki 1:1.35.2-1 (bookworm)
Debianmediawiki/mediawiki< 1:1.35.2-1+3

🔴Vulnerability Details

3
OSV
Wikimedia Parsoid vulnerable to Cross-site Scripting (XSS)2022-05-24
GHSA
Wikimedia Parsoid vulnerable to Cross-site Scripting (XSS)2022-05-24
OSV
CVE-2021-30458: An issue was discovered in Wikimedia Parsoid before 02021-04-09

📋Vendor Advisories

1
Debian
CVE-2021-30458: mediawiki - An issue was discovered in Wikimedia Parsoid before 0.11.1 and 0.12.x before 0.1...2021
CVE-2021-30458 — Cross-site Scripting in Parsoid | cvebase