CVE-2022-28202

Published: Mar 30, 2022Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries or Special:RevisionDelete.

Affected (5)

Products: Mediawiki: Mediawiki · Fedoraproject: Fedora · Debian: Debian Linux

1 product

1 product

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Mediawiki Mediawiki	Before 1.35.6
Mediawiki Mediawiki	From 1.36.0 to 1.36.4
Mediawiki Mediawiki	From 1.37.0 to 1.37.2

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 36

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (10)

https://lists.debian.org/debian-lts-announce/2022/09/msg00027.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PT4CHJKOQOVMI65TSNZRNV6FIWU7SGZD/

Source: cve@mitre.org

https://phabricator.wikimedia.org/T297543

Source: cve@mitre.org

Issue TrackingPatchVendor Advisory

https://security.gentoo.org/glsa/202305-24

Source: cve@mitre.org

https://www.debian.org/security/2022/dsa-5246

Source: cve@mitre.org

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2022/09/msg00027.html