CVE-2022-34491

Name of the Vulnerable Software and Affected Versions MediaWiki versions prior to 1.38.2

Description The issue concerns stored XSS that could occur via MediaWiki's template system. This happens when a new RSS feed with certain XSS payloads within its description tags is created and added to the $wgRSSUrlWhitelist config variable, and the $wgRSSAllowLinkTag config variable is set to true. The exploitation of this issue is possible whenever the feed is loaded via the rss document tag.

Recommendations For MediaWiki versions prior to 1.38.2, update to version 1.38.2 or later to resolve the issue. As a temporary workaround, consider setting the $wgRSSAllowLinkTag config variable to false to minimize the risk of exploitation. Restrict access to the rss document tag to minimize the risk of stored XSS.