MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. MediaWiki:blanknamespace potentially can be output as raw HTML with SCRIPT tags via LogFormatter::makePageLink(). This affects MediaWiki 1.33.0 and later.
References
| Link | Resource |
|---|---|
| https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000268.html | Mailing List Release Notes Vendor Advisory |
| https://phabricator.wikimedia.org/T268938 | Exploit Third Party Advisory |
| https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STT5Z4A3BCXVH3WIPICWU2FP4IPIMUPC/ | Mailing List Third Party Advisory |
Advertisement
Information
Published : 2020-12-18 00:15
Updated : 2022-10-05 09:02
NVD link : CVE-2020-35478
Mitre link : CVE-2020-35478
JSON object : View
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Advertisement
Products Affected
fedoraproject
- fedora
mediawiki
- mediawiki