CVE-2020-10960

Name of the Vulnerable Software and Affected Versions MediaWiki versions prior to 1.34.1

Description The issue in MediaWiki is related to the lack of proper output encoding or escaping, which can be exploited by a remote attacker to impact data integrity. Users can add various Cascading Style Sheets (CSS) classes to arbitrary DOM nodes via HTML content within a MediaWiki page, affecting what content is shown or hidden in the user interface. This occurs because jquery.makeCollapsible allows applying an event handler to any CSS selector. There is no known way to exploit this for cross-site scripting (XSS).

Recommendations For versions prior to 1.34.1, update to version 1.34.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of jquery.makeCollapsible to prevent applying event handlers to arbitrary CSS selectors.