CVE-2021-42044

Name of the Vulnerable Software and Affected Versions MediaWiki versions through 1.36.2

Description An issue was discovered in the Mentor dashboard in the GrowthExperiments extension where certain MediaWiki messages were not properly sanitized. This allowed for the injection and execution of HTML and JavaScript, specifically affecting the growthexperiments-mentor-dashboard-mentee-overview-add-filter-total-edits-headline, growthexperiments-mentor-dashboard-mentee-overview-add-filter-starred-headline, growthexperiments-mentor-dashboard-mentee-overview-info-text, growthexperiments-mentor-dashboard-mentee-overview-info-legend-headline, and growthexperiments-mentor-dashboard-mentee-overview-active-ago messages.

Recommendations For MediaWiki versions through 1.36.2, ensure that the MediaWiki messages are properly sanitized to prevent HTML and JavaScript injection. As a temporary workaround, consider restricting access to the Mentor dashboard in the GrowthExperiments extension until a proper fix is applied.