vulnerability

MediaWiki: CVE-2023-22910: Improper Neutralization of Input During Web Page Generation

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:M/Au:S/C:P/I:P/A:N)

Published

Jan 20, 2023

Added

Jan 30, 2023

Modified

May 6, 2026

Description

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in Wikibase date formatting via wikibase-time-precision-* fields. This allows JavaScript execution by staff/admin users who do not intentionally have the editsitejs capability.

Solution

mediawiki-upgrade-latest

References

CVE-2023-22910
https://attackerkb.com/topics/CVE-2023-22910
https://phabricator.wikimedia.org/T323592
https://euvd.enisa.europa.eu/vulnerability/EUVD-2023-27012
CWE-79
EUVD-EUVD-2023-27012

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report