An issue was discovered in the CheckUser extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via message definitions. e.g., in SpecialCheckUserLog.
References
Link | Resource |
---|---|
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/989179 | Patch Vendor Advisory |
https://phabricator.wikimedia.org/T347708 | Exploit Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
18 Jan 2024, 20:23
Type | Values Removed | Values Added |
---|---|---|
First Time |
Mediawiki
Mediawiki mediawiki |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
CPE | cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:* | |
CWE | CWE-79 | |
References | () https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/989179 - Patch, Vendor Advisory | |
References | () https://phabricator.wikimedia.org/T347708 - Exploit, Vendor Advisory |
12 Jan 2024, 13:47
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
12 Jan 2024, 05:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-01-12 05:15
Updated : 2024-01-18 20:23
NVD link : CVE-2024-23172
Mitre link : CVE-2024-23172
CVE.ORG link : CVE-2024-23172
JSON object : View
Products Affected
mediawiki
- mediawiki
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')