CVE-2021-39186

Published: Sep 1, 2021Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

GlobalNewFiles is a MediaWiki extension maintained by Miraheze. Prior to commit number cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d, the username column of the GlobalNewFiles special page is vulnerable to a stored XSS. Commit number cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d contains a patch. As a workaround, one may disallow <,> (or other characters required to insert html/js) from being used in account names so an XSS is not possible.

Affected (1)

Products: Miraheze: Globalnewfiles

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Miraheze Globalnewfiles	Before 2021-09-01

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (6)

https://github.com/miraheze/GlobalNewFiles/commit/cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/miraheze/GlobalNewFiles/security/advisories/GHSA-57p5-hqjq-h7vg

Source: security-advisories@github.com

Third Party Advisory

https://phabricator.miraheze.org/T7935

Source: security-advisories@github.com

ExploitThird Party Advisory

https://github.com/miraheze/GlobalNewFiles/commit/cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/miraheze/GlobalNewFiles/security/advisories/GHSA-57p5-hqjq-h7vg

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://phabricator.miraheze.org/T7935

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.