Lucene search

GitHub_MCVELIST:CVE-2021-39186

HistorySep 01, 2021 - 8:35 p.m.

CVE-2021-39186 Improper Input Validation in GlobalNewFiles

2021-09-0120:35:12

CWE-20

GitHub_M

www.cve.org

cve-2021-39186

input validation

globalnewfiles

mediawiki

miraheze

stored xss

patch

workaround

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

41.3%

JSON

GlobalNewFiles is a MediaWiki extension maintained by Miraheze. Prior to commit number cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d, the username column of the GlobalNewFiles special page is vulnerable to a stored XSS. Commit number cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d contains a patch. As a workaround, one may disallow <,> (or other characters required to insert html/js) from being used in account names so an XSS is not possible.

CNA Affected

[
  {
    "product": "GlobalNewFiles",
    "vendor": "miraheze",
    "versions": [
      {
        "status": "affected",
        "version": "< cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d"
      }
    ]
  }
]

References

github.com/miraheze/GlobalNewFiles/commit/cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d

github.com/miraheze/GlobalNewFiles/security/advisories/GHSA-57p5-hqjq-h7vg

phabricator.miraheze.org/T7935

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

41.3%

JSON

Related for CVELIST:CVE-2021-39186