CVE-2023-22911 — Cross-site Scripting in Mediawiki

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.6%

top 31.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mediawiki Fedoraproject Fedora

Timeline

PublishedJan 10

Description

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

▶NVDmediawiki/mediawiki1.36.0 — 1.38.5+2

Also affects: Fedora 37

Patches

Patch: phabricator.wikimedia.org ↗Patch: phabricator.wikimedia.org ↗

🔴Vulnerability Details

OSV

CVE-2023-22911: An issue was discovered in MediaWiki before 1↗2023-01-10

▶

GHSA

GHSA-6fwq-c2cr-jg74: An issue was discovered in MediaWiki before 1↗2023-01-10

▶

📋Vendor Advisories

Red Hat

MediaWiki: XSS in widget placement↗2023-01-10

▶