Описание
MediaWiki UnlinkedWikibase Cross-site Scripting vulnerability
An issue was discovered in the UnlinkedWikibase extension in MediaWiki before 1.42.0. XSS can occur through an interface message. Error messages (in the $err var) are not escaped before being passed to Html::rawElement() in the getError() function in the Hooks class.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2024-34500
- https://github.com/github/advisory-database/pull/5310
- https://gerrit.wikimedia.org/r/c/mediawiki/extensions/UnlinkedWikibase/+/1002175
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISY
- https://phabricator.wikimedia.org/T357203
Пакеты
samwilson/unlinked-wikibase
< 1.42.0
1.42.0
Связанные уязвимости
An issue was discovered in the UnlinkedWikibase extension in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. XSS can occur through an interface message. Error messages (in the $err var) are not escaped before being passed to Html::rawElement() in the getError() function in the Hooks class.
An issue was discovered in the UnlinkedWikibase extension in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. XSS can occur through an interface message. Error messages (in the $err var) are not escaped before being passed to Html::rawElement() in the getError() function in the Hooks class.
Уязвимость расширения UnlinkedWikibase программного средства для реализации гипертекстовой среды MediaWiki, позволяющая нарушителю осуществлять межсайтовые сценарные (XSS)
