vulnerability

Arch Linux: Cross-site scripting (CVE-2017-0365)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
3	(AV:N/AC:H/Au:N/C:N/I:P/A:N)	Apr 13, 2018	Jul 11, 2025	Nov 27, 2025

Severity

CVSS

(AV:N/AC:H/Au:N/C:N/I:P/A:N)

Published

Apr 13, 2018

Added

Jul 11, 2025

Modified

Nov 27, 2025

Description

SearchHighlighter::removeWiki() uses a regex to remove html from snippets. The regex - /<\/?[^>]+>/ assumes that html is well-formed. As a result when using SearchHighlighter::highlightText() as the highlighting method, this can result in an XSS when $wgAdvancedSearchHighlighting is true.

Solution

arch-linux-upgrade-latest

References

CVE-2017-0365
https://attackerkb.com/topics/CVE-2017-0365
URL-https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
URL-https://phabricator.wikimedia.org/T144845
URL-https://security-tracker.debian.org/tracker/CVE-2017-0365
URL-https://security.archlinux.org/ASA-201704-3
CWE-79

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today