CVE-2020-26120

Name of the Vulnerable Software and Affected Versions MediaWiki MobileFrontend extension versions prior to 1.34.4

Description The issue exists due to the mishandling of section.line during regex section line replacement from PageGateway. An attacker can exploit this by using crafted HTML to elicit an XSS attack via jQuery's parseHTML method. This can cause image callbacks to fire even without the element being appended to the DOM.

Recommendations For versions prior to 1.34.4, update to version 1.34.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of jQuery's parseHTML method until a patch is applied.