CVE-2021-42047

Name of the Vulnerable Software and Affected Versions MediaWiki versions prior to 1.36.2

Description An issue was discovered in the Growth extension in MediaWiki. On any Wiki with the Mentor Dashboard feature enabled, users can login with a mentor account and trigger an XSS payload, such as an alert, via Growthexperiments-mentor-dashboard-mentee-overview-no-js-fallback.

Recommendations For MediaWiki versions prior to 1.36.2, update to version 1.36.2 or later to resolve the issue. As a temporary workaround, consider disabling the Mentor Dashboard feature until a patch is available. Restrict access to the Growthexperiments-mentor-dashboard-mentee-overview-no-js-fallback endpoint to minimize the risk of exploitation.