vulnerability
MediaWiki: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-2020-26120)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:M/Au:N/C:N/I:P/A:N) | Sep 27, 2020 | Oct 7, 2020 | Nov 8, 2023 |
Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Published
Sep 27, 2020
Added
Oct 7, 2020
Modified
Nov 8, 2023
Description
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even without the element being appended to the DOM.
Solution
mediawiki-upgrade-1_34_4
References
- CVE-2020-26120
- https://attackerkb.com/topics/CVE-2020-26120
- URL-https://gerrit.wikimedia.org/r/q/I42e079bc875d17b336ab015f3678eaedc26e10ea
- URL-https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU6/
- URL-https://phabricator.wikimedia.org/T262213
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.