vulnerability

MediaWiki: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CVE-2020-10960)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:L/Au:N/C:N/I:P/A:N)	2020-04-03	2020-04-08	2021-08-05

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:P/A:N)

Published

2020-04-03

Added

2020-04-08

Modified

2021-08-05

Description

In MediaWiki before 1.34.1, users can add various Cascading Style Sheets (CSS) classes (which can affect what content is shown or hidden in the user interface) to arbitrary DOM nodes via HTML content within a MediaWiki page. This occurs because jquery.makeCollapsible allows applying an event handler to any Cascading Style Sheets (CSS) selector. There is no known way to exploit this for cross-site scripting (XSS).

Solution

mediawiki-upgrade-1_34_1

References

CVE-2020-10960
https://attackerkb.com/topics/CVE-2020-10960
URL-https://lists.wikimedia.org/pipermail/wikitech-l/2020-March/093243.html
URL-https://phabricator.wikimedia.org/T246602

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today