vulnerability

MediaWiki: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CVE-2020-10960)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:L/Au:N/C:N/I:P/A:N)	Apr 3, 2020	Apr 8, 2020	Apr 7, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:P/A:N)

Published

Apr 3, 2020

Added

Apr 8, 2020

Modified

Apr 7, 2026

Description

In MediaWiki before 1.34.1, users can add various Cascading Style Sheets (CSS) classes (which can affect what content is shown or hidden in the user interface) to arbitrary DOM nodes via HTML content within a MediaWiki page. This occurs because jquery.makeCollapsible allows applying an event handler to any Cascading Style Sheets (CSS) selector. There is no known way to exploit this for cross-site scripting (XSS).

Solution

mediawiki-upgrade-1_34_1

References

CVE-2020-10960
https://attackerkb.com/topics/CVE-2020-10960
CWE-74
EUVD-EUVD-2022-4752
https://euvd.enisa.europa.eu/vulnerability/EUVD-2022-4752
https://lists.wikimedia.org/pipermail/wikitech-l/2020-March/093243.html
https://phabricator.wikimedia.org/T246602

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report