CVE-2019-19910

Name of the Vulnerable Software and Affected Versions MediaWiki versions 1.34 through 1.35

Description The issue concerns the MinervaNeue Skin in MediaWiki, where it mishandles certain HTML attributes. This can lead to XSS when using onmouseover within an IMG tag, and it can also disclose the client's IP address when using src=http within an IMG tag. This issue can occur within a talk page topical header viewed in a mobile context using MobileFrontend.

Recommendations For versions 1.34 through 1.35, update to a version that fixes the handling of HTML attributes in the MinervaNeue Skin to prevent XSS and IP address disclosure.