CVE-2020-35478

Name of the Vulnerable Software and Affected Versions MediaWiki versions 1.33.0 through 1.35.1

Description The issue allows for XSS via BlockLogFormatter.php, where MediaWiki:blanknamespace can potentially be output as raw HTML with SCRIPT tags via LogFormatter::makePageLink().

Recommendations For versions 1.33.0 through 1.35.1, update to version 1.35.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the LogFormatter::makePageLink() function until a patch is available. Avoid using the MediaWiki:blanknamespace variable in the affected API endpoint until the issue is resolved.