Name of the Vulnerable Software and Affected Versions MediaWiki versions prior to 1.23.8

Description The issue affects MediaWiki, where thumb.php outputs wikitext messages as raw HTML, potentially leading to cross-site scripting. Exploitation requires permission to edit the MediaWiki namespace. Additionally, a malicious site can bypass CORS restrictions in API calls by including an allowed domain as part of its name, circumventing the $wgCrossSiteAJAXdomains setting.

Recommendations For versions prior to 1.23.8, update to version 1.23.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the MediaWiki namespace to minimize the risk of exploitation. Additionally, review and restrict the $wgCrossSiteAJAXdomains setting to prevent bypassing of CORS restrictions.