Описание
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/RclToOrFromWidget.Js.
This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.
A flaw was found in MediaWiki. A remote attacker can exploit this Cross-site Scripting (XSS) vulnerability by injecting malicious scripts into web pages due to improper neutralization of input during web page generation. This could lead to arbitrary code execution in the context of the user's browser, potentially allowing for information disclosure or session hijacking.
Отчет
A stored cross-site scripting (XSS) vulnerability exists in MediaWiki's Special:RecentChangesLinked feature, allowing for the injection of malicious scripts via system messages. This flaw could enable an attacker with high privileges to execute arbitrary client-side scripts in the context of other users' browsers. This issue affects MediaWiki versions before 1.39.14, 1.43.4, and 1.44.1, as distributed in Fedora 42 and Fedora 43.
Меры по смягчению последствий
To reduce the attack surface for this stored cross-site scripting vulnerability, restrict network access to the MediaWiki instance, particularly to administrative interfaces, to trusted networks and users. Additionally, ensure that only highly trusted and authorized personnel are granted administrative privileges within MediaWiki, as these privileges are necessary to inject malicious scripts into system messages. This operational control helps limit who can introduce vulnerable content.
Дополнительная информация
Статус:
4.6 Medium
CVSS3
Связанные уязвимости
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/RclToOrFromWidget.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/RclToOrFromWidget.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.
Improper Neutralization of Input During Web Page Generation (XSS or 'C ...
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/RclToOrFromWidget.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.
4.6 Medium
CVSS3