PT-2019-15811 · Wikimedia · Wikibase Wikidata Query Service Gui

Lucas Werkmeister

Published

2019-11-27

Updated

2019-12-18

CVE-2019-19329

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Wikibase Wikidata Query Service GUI versions prior to 0.3.6-SNAPSHOT 2019-11-07

Description The issue allows for arbitrary JavaScript execution, which can occur when mathematical expressions in results are displayed directly. This can lead to XSS. The problem was addressed by introducing MathJax as a new mathematics rendering engine.

Recommendations For versions prior to 0.3.6-SNAPSHOT 2019-11-07, update to a version that includes the new mathematics rendering engine, such as 0.3.6-SNAPSHOT or later, to prevent arbitrary JavaScript execution.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2019-19329

Affected Products

Wikibase Wikidata Query Service Gui

PT-2019-15811 · Wikimedia · Wikibase Wikidata Query Service Gui

CVE-2019-19329

Weakness Enumeration

Related Identifiers

Affected Products

References · 6