PT-2021-23481 · Mediawiki+1 · Growthexperiments Extension+2
Urbanecm_Wmf
·
Published
2021-10-06
·
Updated
2024-03-06
·
CVE-2021-42042
CVSS v3.1
4.8
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
MediaWiki versions through 1.36.2
GrowthExperiments extension in MediaWiki versions through 1.36.2
Description
An issue was discovered in SpecialEditGrowthConfig in the GrowthExperiments extension. The growthexperiments-edit-config-error-invalid-title MediaWiki message was not being properly sanitized, allowing for the injection and execution of HTML and JavaScript.
Recommendations
For MediaWiki versions through 1.36.2, update to a version that properly sanitizes the growthexperiments-edit-config-error-invalid-title MediaWiki message to prevent HTML and JavaScript injection.
For the GrowthExperiments extension in MediaWiki versions through 1.36.2, ensure that the SpecialEditGrowthConfig properly sanitizes user input to prevent exploitation.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Growthexperiments Extension
Mediawiki