CVE-2022-34911

Name of the Vulnerable Software and Affected Versions MediaWiki versions prior to 1.35.7 MediaWiki versions 1.36.x MediaWiki versions 1.37.x prior to 1.37.3 MediaWiki versions 1.38.x prior to 1.38.1

Description An issue can occur in configurations that allow a JavaScript payload in a username, leading to XSS. After account creation, the username is not escaped when setting the page title to "Welcome" followed by the username. This happens because SpecialCreateAccount::successfulAction() calls ::showSuccessPage() with a message as the second parameter, and OutputPage::setPageTitle() uses text().

Recommendations For MediaWiki versions prior to 1.35.7, update to version 1.35.7 or later. For MediaWiki versions 1.36.x, update to version 1.37.3 or later. For MediaWiki versions 1.37.x prior to 1.37.3, update to version 1.37.3 or later. For MediaWiki versions 1.38.x prior to 1.38.1, update to version 1.38.1 or later. As a temporary workaround, consider restricting the use of JavaScript payloads in usernames to minimize the risk of exploitation.