CVE-2024-23173

Name of the Vulnerable Software and Affected Versions MediaWiki versions prior to 1.35.14 MediaWiki versions 1.36.x through 1.39.x before 1.39.6 MediaWiki versions 1.40.x before 1.40.2

Description An issue in the Cargo extension of MediaWiki allows for XSS attacks via the artist, album, and position parameters due to applied filter values in drilldown/CargoAppliedFilter.php. This affects the Special:Drilldown page.

Recommendations For MediaWiki versions prior to 1.35.14, update to version 1.35.14 or later. For MediaWiki versions 1.36.x through 1.39.x before 1.39.6, update to version 1.39.6 or later. For MediaWiki versions 1.40.x before 1.40.2, update to version 1.40.2 or later. As a temporary workaround, consider restricting access to the Special:Drilldown page and avoiding the use of artist, album, and position parameters until a patch is applied.