An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context.
References
Link | Resource |
---|---|
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A/ | |
https://phabricator.wikimedia.org/T149488 | Exploit Issue Tracking Patch Vendor Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
07 Nov 2023, 04:07
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
27 Feb 2023, 14:09
Type | Values Removed | Values Added |
---|---|---|
First Time |
Fedoraproject
Fedoraproject fedora |
|
CPE | cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A/ - Mailing List, Third Party Advisory |
27 Jan 2023, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
13 Jan 2023, 06:34
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://phabricator.wikimedia.org/T149488 - Exploit, Issue Tracking, Patch, Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
CWE | CWE-79 | |
CPE | cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:* cpe:2.3:a:mediawiki:mediawiki:1.39.0:-:*:*:*:*:*:* cpe:2.3:a:mediawiki:mediawiki:1.39.0:rc0:*:*:*:*:*:* cpe:2.3:a:mediawiki:mediawiki:1.39.0:rc1:*:*:*:*:*:* |
|
First Time |
Mediawiki
Mediawiki mediawiki |
10 Jan 2023, 08:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-01-10 08:15
Updated : 2023-12-10 14:48
NVD link : CVE-2023-22911
Mitre link : CVE-2023-22911
CVE.ORG link : CVE-2023-22911
JSON object : View
Products Affected
fedoraproject
- fedora
mediawiki
- mediawiki
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')