PT-2024-2678 · Mediawiki+2 · Mediawiki+2
Soda
·
Published
2024-01-12
·
Updated
2025-06-19
·
CVE-2024-23174
CVSS v2.0
5.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
MediaWiki versions prior to 1.35.14
MediaWiki versions 1.36.x through 1.39.x before 1.39.6
MediaWiki versions 1.40.x before 1.40.2
Description
The issue is related to the PageTriage extension in MediaWiki, which is associated with improper neutralization of input during webpage creation. This can allow a remote attacker to perform cross-site scripting attacks. The attacks can occur via various messages, including
rev-deleted-user, pagetriage-tags-quickfilter-label, pagetriage-triage, pagetriage-filter-date-range-format-placeholder, pagetriage-filter-date-range-to, pagetriage-filter-date-range-from, pagetriage-filter-date-range-heading, pagetriage-filter-set-button, or pagetriage-filter-reset-button.Recommendations
For MediaWiki versions prior to 1.35.14, update to version 1.35.14 or later.
For MediaWiki versions 1.36.x through 1.39.x, update to version 1.39.6 or later.
For MediaWiki versions 1.40.x before 1.40.2, update to version 1.40.2 or later.
As a temporary workaround, consider restricting access to the PageTriage extension until a patch is available. Avoid using the vulnerable messages in the PageTriage extension until the issue is resolved.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Mediawiki
Red Os