An issue was discovered in the Growth extension in MediaWiki through 1.36.2. Any admin can add arbitrary JavaScript code to the Newcomer home page footer, which can be executed by viewers with zero edits.
References
Link | Resource |
---|---|
https://gerrit.wikimedia.org/r/q/Iaa90a8976834d70caad592e9d1b18510318db537 | Patch Vendor Advisory |
https://phabricator.wikimedia.org/T289064 | Patch Vendor Advisory |
Configurations
History
30 Sep 2022, 16:42
Type | Values Removed | Values Added |
---|---|---|
First Time |
Mediawiki mediawiki
Mediawiki |
|
CWE | CWE-79 | |
References | (MISC) https://gerrit.wikimedia.org/r/q/Iaa90a8976834d70caad592e9d1b18510318db537 - Patch, Vendor Advisory | |
References | (MISC) https://phabricator.wikimedia.org/T289064 - Patch, Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.8 |
CPE | cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:* |
29 Sep 2022, 17:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-09-29 03:15
Updated : 2023-12-10 14:35
NVD link : CVE-2021-42048
Mitre link : CVE-2021-42048
CVE.ORG link : CVE-2021-42048
JSON object : View
Products Affected
mediawiki
- mediawiki
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')