MediaWiki UnlinkedWikibase Cross-site Scripting vulnerability

An issue was discovered in the UnlinkedWikibase extension in MediaWiki before 1.42.0. XSS can occur through an interface message. Error messages in the $err var are not escaped before being passed to Html::rawElement in the getError function in the Hooks class...

CVE-2024-34500

CVE-2024-34500 affects MediaWiki with the UnlinkedWikibase extension prior to certain versions: 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. The issue is an XSS flaw triggered via interface messages where error text stored in the $err variable is not escaped before passing to Html::raw...