CVE-2024-34507Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Mediawiki

CWE-80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)CWE-79Cross-site Scripting6 documents6 sources
Severity
7.4HIGHNVD
EPSS
0.4%
top 36.71%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
MediawikiFedoraproject Fedora
Timeline
PublishedMay 5

Description

An issue was discovered in includes/CommentFormatter/CommentParser.php in MediaWiki before 1.39.7, 1.40.x before 1.40.3, and 1.41.x before 1.41.1. XSS can occur because of mishandling of the 0x1b character, as demonstrated by Special:RecentChanges#%1b0000000.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:NExploitability: 2.8 | Impact: 4.0

Affected Packages2 packages

NVDmediawiki/mediawiki1.40.01.40.3+2
Debianmediawiki/mediawiki< 1:1.39.7-1~deb12u1+2

Also affects: Fedora 40

🔴Vulnerability Details

3
OSV
CVE-2024-34507: An issue was discovered in includes/CommentFormatter/CommentParser2024-05-05
GHSA
GHSA-gwp7-78vh-mpmm: An issue was discovered in includes/CommentFormatter/CommentParser2024-05-05
CVEList
CVE-2024-34507: An issue was discovered in includes/CommentFormatter/CommentParser2024-05-05

📋Vendor Advisories

2
Red Hat
mediawiki: cross-site scripting2024-05-05
Debian
CVE-2024-34507: mediawiki - An issue was discovered in includes/CommentFormatter/CommentParser.php in MediaW...2024
CVE-2024-34507 — Mediawiki vulnerability | cvebase