CVE-2020-25828

Name of the Vulnerable Software and Affected Versions MediaWiki versions 1.31.10 and earlier MediaWiki versions 1.32.x through 1.34.3

Description An issue was discovered in the non-jqueryMsg version of mw.message().parse(), which doesn't escape HTML. This affects both message contents and the parameters, which can be based on user input. When jqueryMsg is loaded, it correctly accepts only whitelisted tags in message contents and escapes all parameters. However, situations with an unloaded jqueryMsg can occur, for example, on a wiki with no extensions installed, allowing a remote attacker to conduct a cross-site scripting (XSS) attack.

Recommendations For MediaWiki versions 1.31.10 and earlier, update to version 1.31.10 or later. For MediaWiki versions 1.32.x through 1.34.3, update to version 1.34.4 or later. As a temporary workaround, consider disabling the mw.message().parse() function until a patch is available. Restrict access to the Special:SpecialPages page on a wiki with no extensions installed to minimize the risk of exploitation.