CVE-2020-25812

Name of the Vulnerable Software and Affected Versions MediaWiki versions 1.34.x through 1.34.3

Description An issue was discovered in MediaWiki where the NS filter on Special:Contributions uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML. The vulnerability exists due to a lack of protection of the web page structure, which can allow a remote attacker to conduct a cross-site scripting (XSS) attack.

Recommendations For MediaWiki versions 1.34.x through 1.34.3, update to version 1.34.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the Special:Contributions page until a patch is available. Additionally, avoid using unescaped messages as keys in the option key for an HTMLForm specifier to minimize the risk of exploitation.