CVE-2023-22910

Name of the Vulnerable Software and Affected Versions MediaWiki versions prior to 1.35.9 MediaWiki versions 1.36.x through 1.38.x before 1.38.5 MediaWiki versions 1.39.x before 1.39.1

Description An issue was discovered in MediaWiki that allows JavaScript execution by staff/admin users who do not intentionally have the editsitejs capability. This is due to XSS in Wikibase date formatting via wikibase-time-precision-* fields.

Recommendations For versions prior to 1.35.9, update to version 1.35.9 or later. For versions 1.36.x through 1.38.x before 1.38.5, update to version 1.38.5 or later. For versions 1.39.x before 1.39.1, update to version 1.39.1 or later. As a temporary workaround, consider restricting access to the wikibase-time-precision-* fields to minimize the risk of exploitation.