vulnerability

MediaWiki: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-2023-22911)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
6	(AV:N/AC:M/Au:N/C:P/I:P/A:N)	Jan 10, 2023	Jan 16, 2023	Jan 28, 2025

Severity

CVSS

(AV:N/AC:M/Au:N/C:P/I:P/A:N)

Published

Jan 10, 2023

Added

Jan 16, 2023

Modified

Jan 28, 2025

Description

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context.

Solutions

mediawiki-upgrade-1_35_9mediawiki-upgrade-1_38_5

References

CVE-2023-22911
https://attackerkb.com/topics/CVE-2023-22911
URL-https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A/
URL-https://phabricator.wikimedia.org/T149488

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today