An issue was discovered in CentralAuth in MediaWiki through 1.36.2. The rightsnone MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the setchange log.
References
Link | Resource |
---|---|
https://gerrit.wikimedia.org/r/q/I7aeaa6e4de5ccaa5eeb6bf4fb00c96b01d5fea35 | Patch Vendor Advisory |
https://phabricator.wikimedia.org/T291696 | Exploit Patch Vendor Advisory |
Configurations
History
14 Oct 2021, 18:55
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 4.3
v3 : 6.1 |
CWE | CWE-79 | |
CPE | cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:* | |
References | (MISC) https://phabricator.wikimedia.org/T291696 - Exploit, Patch, Vendor Advisory | |
References | (MISC) https://gerrit.wikimedia.org/r/q/I7aeaa6e4de5ccaa5eeb6bf4fb00c96b01d5fea35 - Patch, Vendor Advisory |
06 Oct 2021, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-10-06 21:15
Updated : 2023-12-10 14:09
NVD link : CVE-2021-42041
Mitre link : CVE-2021-42041
CVE.ORG link : CVE-2021-42041
JSON object : View
Products Affected
mediawiki
- mediawiki
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')