Kamalinux

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.35.14 MediaWiki versions 1.36.x through 1.39.x before 1.39.6 MediaWiki versions 1.40.x before 1.40.2 **Description** An issue in the Cargo extension of MediaWiki allows for XSS attacks via the `artist`, `album`, and `position` parameters due to applied filter values in `drilldown/CargoAppliedFilter.php`. This affects the Special:Drilldown page. **Recommendations** For MediaWiki versions prior to 1.35.14, update to version 1.35.14 or later. For MediaWiki versions 1.36.x through 1.39.x before 1.39.6, update to version 1.39.6 or later. For MediaWiki versions 1.40.x before 1.40.2, update to version 1.40.2 or later. As a temporary workaround, consider restricting access to the Special:Drilldown page and avoiding the use of `artist`, `album`, and `position` parameters until a patch is applied.