Cross-site Scripting (XSS)

2019-07-1103:09:26

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.003 Low

EPSS

Percentile

70.8%

JSON

mediawiki is vulnerable to cross-site scripting (XSS). The attack is possible because it allows the creation of a page that does not correspond to any user, e.g User:Foo/bar.js. Subsequently, an attacker will be able to create an account User:Foo and create a malicious script bar.js, which causes the malicious code within the script to be executed when the user loads the page with importScript( 'User:Foo/bar.js' );.

CPENameOperatorVersion
mediawiki/corele1.31.1
mediawiki/corele1.32.1
mediawiki/corele1.30.1
mediawiki/corele1.27.5
mediawiki:eoaneq1:1.31.2-1ubuntu1

Name	Operator	Version
mediawiki/core	le	1.31.1
mediawiki/core	le	1.32.1
mediawiki/core	le	1.30.1
mediawiki/core	le	1.27.5
mediawiki:eoan	eq	1:1.31.2-1ubuntu1

References

github.com/wikimedia/mediawiki/commit/0be838ed6a2954b98a6b66ba7bacbf91fcb06579

github.com/wikimedia/mediawiki/commit/35023d616fb75a4c3b7a58f04b16d22e81a7403b

github.com/wikimedia/mediawiki/commit/50c42768cb12d906259c43aeb0b0cdfd06e5ddec

lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html

phabricator.wikimedia.org/T207603

0.003 Low

EPSS

Percentile

70.8%

JSON

Related for VERACODE:20768