CVE-2021-30157

Name of the Vulnerable Software and Affected Versions MediaWiki versions 1.31.12 and earlier MediaWiki versions 1.32.x through 1.35.x before 1.35.2

Description The issue exists due to the lack of protection for the web page structure, allowing a remote attacker to conduct cross-site scripting (XSS) attacks. On ChangesList special pages, such as Special:RecentChanges and Special:Watchlist, some label messages are output in HTML unescaped, leading to XSS.

Recommendations For MediaWiki versions 1.31.12 and earlier, update to version 1.31.12 or later. For MediaWiki versions 1.32.x through 1.35.x before 1.35.2, update to version 1.35.2 or later. As a temporary workaround, consider restricting access to the ChangesList special pages, such as Special:RecentChanges and Special:Watchlist, until a patch is available.