CVE-2023-37254

Name of the Vulnerable Software and Affected Versions MediaWiki Cargo extension versions through 1.39.3

Description An issue in the Cargo extension for MediaWiki allows XSS to occur in Special:CargoQuery via a crafted page item when using the default format. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. Technical details about exploitation include the use of a crafted page item in the Special:CargoQuery endpoint.

Recommendations For MediaWiki Cargo extension versions through 1.39.3, update to a version later than 1.39.3 to resolve the issue. As a temporary workaround, consider restricting access to the Special:CargoQuery endpoint until a patch is available. Avoid using the default format in Special:CargoQuery until the issue is resolved.