vulnerability

MediaWiki: CVE-2024-23173: Improper Neutralization of Input During Web Page Generation

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:M/Au:N/C:P/I:P/A:N)

Published

Jan 12, 2024

Added

Jan 22, 2024

Modified

May 6, 2026

Description

An issue was discovered in the Cargo extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:Drilldown page allows XSS via artist, album, and position parameters because of applied filter values in drilldown/CargoAppliedFilter.php.

Solution

mediawiki-upgrade-latest

References

CVE-2024-23173
https://attackerkb.com/topics/CVE-2024-23173
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/965214
https://phabricator.wikimedia.org/T348687
https://euvd.enisa.europa.eu/vulnerability/EUVD-2024-20692
CWE-79
EUVD-EUVD-2024-20692

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report