CVE-2021-41798Cross-site Scripting in Mediawiki

CWE-79Cross-site Scripting5 documents5 sources
Severity
6.1MEDIUMNVD
EPSS
0.2%
top 63.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
MediawikiDebian MediawikiFedoraproject Fedora
Timeline
PublishedOct 11
Latest updateMay 24

Description

MediaWiki before 1.36.2 allows XSS. Month related MediaWiki messages are not escaped before being used on the Special:Search results page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

debiandebian/mediawiki< mediawiki 1:1.35.4-1 (bookworm)
NVDmediawiki/mediawiki< 1.36.2
Debianmediawiki/mediawiki< 1:1.35.4-1~deb11u1+3

Also affects: Fedora 33, 34, 35

Patches

Patch: phabricator.wikimedia.orgPatch: phabricator.wikimedia.org

🔴Vulnerability Details

2
GHSA
GHSA-6w7p-46mm-c2fc: MediaWiki before 12022-05-24
OSV
CVE-2021-41798: MediaWiki before 12021-10-11

📋Vendor Advisories

2
Red Hat
mediawiki: Cross-site scripting (XSS) in Special:Search2021-09-30
Debian
CVE-2021-41798: mediawiki - MediaWiki before 1.36.2 allows XSS. Month related MediaWiki messages are not esc...2021
CVE-2021-41798 — Cross-site Scripting in Mediawiki | cvebase