CVE-2022-28202 — Cross-site Scripting in Mediawiki

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.6%

top 30.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mediawiki Debian Mediawiki Debian Linux +1 more

Timeline

PublishedMar 30

Latest updateMar 31

Description

An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries or Special:RevisionDelete.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶debiandebian/mediawiki< mediawiki 1:1.35.6-1 (bookworm)

▶NVDmediawiki/mediawiki1.36.0 — 1.36.4+2

▶Debianmediawiki/mediawiki< 1:1.35.8-1~deb11u1+3

Also affects: Debian Linux 10.0, Fedora 36

Patches

Patch: phabricator.wikimedia.org ↗Patch: phabricator.wikimedia.org ↗

🔴Vulnerability Details

GHSA

GHSA-5c63-m98j-vx6v: An XSS issue was discovered in MediaWiki before 1↗2022-03-31

▶

OSV

CVE-2022-28202: An XSS issue was discovered in MediaWiki before 1↗2022-03-30

▶

📋Vendor Advisories

Red Hat

mediawiki: xss due to incorrect escaping↗2022-03-30

▶

Debian

CVE-2022-28202: mediawiki - An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, an...↗2022

▶