PT-2023-8946 · Mediawiki+2 · Mediawiki Proofreadpage Extension+2
Soda
·
Published
2023-10-08
·
Updated
2024-08-20
·
CVE-2023-45373
CVSS v2.0
6.4
Medium
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
MediaWiki ProofreadPage extension versions prior to 1.35.12
MediaWiki ProofreadPage extension versions 1.36.x through 1.39.x before 1.39.5
MediaWiki ProofreadPage extension versions 1.40.x before 1.40.1
Description
The issue exists due to a lack of protection for the web page structure in the ProofreadPage extension for MediaWiki. This can allow a remote attacker to perform cross-site scripting attacks. The attack can occur via the
formatNumNoSeparators function.Recommendations
For MediaWiki ProofreadPage extension versions prior to 1.35.12, update to version 1.35.12 or later.
For MediaWiki ProofreadPage extension versions 1.36.x through 1.39.x, update to version 1.39.5 or later.
For MediaWiki ProofreadPage extension versions 1.40.x before 1.40.1, update to version 1.40.1 or later.
As a temporary workaround, consider disabling the
formatNumNoSeparators function until a patch is available.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Mediawiki Proofreadpage Extension
Red Os