CVE-2021-36130

Name of the Vulnerable Software and Affected Versions: MediaWiki versions through 1.36 SocialProfile extension in MediaWiki versions through 1.36

Description: An XSS issue was discovered in the SocialProfile extension within MediaWiki. A privileged user with the awardmanage right could inject arbitrary HTML and JavaScript within various gift-related data fields in several special pages. This could easily propagate across many pages for many users.

Recommendations: For MediaWiki versions through 1.36, update to a version that includes a fix for this issue. For the SocialProfile extension in MediaWiki versions through 1.36, consider disabling the extension until a patch is available. Restrict access to gift-related special pages to minimize the risk of exploitation. Avoid using the awardmanage right for users who do not need it, to reduce the potential for arbitrary HTML and JavaScript injection.