CVE-2021-42041

Published: Oct 6, 2021Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

An issue was discovered in CentralAuth in MediaWiki through 1.36.2. The rightsnone MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the setchange log.

Affected (1)

Products: Mediawiki: Mediawiki

Mediawiki

1 product

Mediawiki

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mediawiki Mediawiki	Up to 1.36.2

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://gerrit.wikimedia.org/r/q/I7aeaa6e4de5ccaa5eeb6bf4fb00c96b01d5fea35

Source: cve@mitre.org

PatchVendor Advisory

https://phabricator.wikimedia.org/T291696

Source: cve@mitre.org

ExploitPatchVendor Advisory

https://gerrit.wikimedia.org/r/q/I7aeaa6e4de5ccaa5eeb6bf4fb00c96b01d5fea35

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://phabricator.wikimedia.org/T291696

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchVendor Advisory

Timeline

No history available yet.