CVE-2024-34500 — Cross-site Scripting in Mediawiki

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.3%

top 46.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mediawiki Samwilson Unlinked-wikibase Fedoraproject Fedora

Timeline

PublishedMay 5

Description

An issue was discovered in the UnlinkedWikibase extension in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. XSS can occur through an interface message. Error messages (in the $err var) are not escaped before being passed to Html::rawElement() in the getError() function in the Hooks class.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDmediawiki/mediawiki1.40.0 — 1.40.2+2

▶Packagistsamwilson/unlinked-wikibase< 1.42.0

Also affects: Fedora 40

Patches

Patch: gerrit.wikimedia.org ↗Patch: gerrit.wikimedia.org ↗

🔴Vulnerability Details

CVEList

CVE-2024-34500: An issue was discovered in the UnlinkedWikibase extension in MediaWiki before 1↗2024-05-05

▶

OSV

MediaWiki UnlinkedWikibase Cross-site Scripting vulnerability↗2024-05-05

▶

GHSA

MediaWiki UnlinkedWikibase Cross-site Scripting vulnerability↗2024-05-05

▶

📋Vendor Advisories

Red Hat

mediawiki: XSS through interface message in UnlinkedWikibase↗2024-05-05

▶