Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-28202: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete

An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries or Special:RevisionDelete.

CVE
#xss#auth
  • Edit Task

  • Mute Notifications

  • Protect as security issue

  • Award Token

  • Flag For Later

Risk Rating

Low

Author Affiliation

Wikimedia Communities

  • Task Graph
  • Mentions

Event Timeline

Restricted Application added a subscriber: Aklapper.

sbassett changed Author Affiliation from N/A to Wikimedia Communities.

sbassett changed the visibility from “Custom Policy” to "Public (No Login Required)".

sbassett changed Risk Rating from N/A to Low.

Reedy renamed this task from Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete to CVE-2022-: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete.

Reedy renamed this task from CVE-2022-: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete to CVE-2022-28202: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

Related news

Gentoo Linux Security Advisory 202305-24

Gentoo Linux Security Advisory 202305-24 - Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. Versions greater than or equal to 1.25.2 are affected.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907