Lucene search

GoogleOSV:CVE-2024-23174

HistoryJan 12, 2024 - 5:15 a.m.

CVE-2024-23174

2024-01-1205:15:10

Google

osv.dev

mediawiki

pagetriage extension

xss

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

14.1%

JSON

An issue was discovered in the PageTriage extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via the rev-deleted-user, pagetriage-tags-quickfilter-label, pagetriage-triage, pagetriage-filter-date-range-format-placeholder, pagetriage-filter-date-range-to, pagetriage-filter-date-range-from, pagetriage-filter-date-range-heading, pagetriage-filter-set-button, or pagetriage-filter-reset-button message.

CPENameOperatorVersion
mediawikieq1.6.0
mediawikieq1.35.8
mediawikieq1.35.3
mediawikieq1.35.4
mediawikieq1.35.5
mediawikieq1.5.0beta1
mediawikieq1.35.1
mediawikieq1.5.0beta4
mediawikieq1.5.0alpha2
mediawikieq1.35.12

Name	Operator	Version
mediawiki	eq	1.6.0
mediawiki	eq	1.35.8
mediawiki	eq	1.35.3
mediawiki	eq	1.35.4
mediawiki	eq	1.35.5
mediawiki	eq	1.5.0beta1
mediawiki	eq	1.35.1
mediawiki	eq	1.5.0beta4
mediawiki	eq	1.5.0alpha2
mediawiki	eq	1.35.12

Rows per page:

1-10 of 271

References

gerrit.wikimedia.org/r/c/mediawiki/extensions/PageTriage/+/989177

phabricator.wikimedia.org/T347704