CVE-2021-30154

Published: Apr 6, 2021Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On Special:NewFiles, all the mediastatistics-header-* messages are output in HTML unescaped, leading to XSS.

Affected (5)

Products: Mediawiki: Mediawiki · Debian: Debian Linux · Fedoraproject: Fedora

1 product

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Mediawiki Mediawiki	Before 1.31.12
Mediawiki Mediawiki	From 1.32.0 to 1.35.2

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 33
Fedoraproject Fedora	Version 34

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (10)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/26UJGHF7LJDOCQN6A3Z4PM7PYRKENJHE/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OMSV7B2TCFBOCICN3B4SMQP5HVRJQIT/

Source: cve@mitre.org

https://phabricator.wikimedia.org/T278014

Source: cve@mitre.org

ExploitIssue TrackingPatchVendor Advisory

https://security.gentoo.org/glsa/202107-40

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2021/dsa-4889

Source: cve@mitre.org

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/26UJGHF7LJDOCQN6A3Z4PM7PYRKENJHE/