CVE-2021-30154

Name of the Vulnerable Software and Affected Versions MediaWiki versions prior to 1.31.12 MediaWiki versions 1.32.x through 1.35.x before 1.35.2

Description An issue in MediaWiki leads to XSS due to the output of mediastatistics-header-* messages in HTML unescaped on Special:NewFiles. This could allow a remote attacker to impact the confidentiality and integrity of protected information.

Recommendations For MediaWiki versions prior to 1.31.12, update to version 1.31.12 or later. For MediaWiki versions 1.32.x through 1.35.x before 1.35.2, update to version 1.35.2 or later. As a temporary workaround, consider restricting access to the Special:NewFiles page until a patch is available.