CVE-2024-23178

Name of the Vulnerable Software and Affected Versions MediaWiki versions prior to 1.40.2 Phonos extension in MediaWiki versions prior to 1.40.2

Description The issue exists due to the lack of protection for the web page structure in the Phonos extension of MediaWiki. This allows a remote attacker to perform cross-site scripting attacks via the phonos-purge-needed-error message. The vulnerability is related to the PhonosButton.js file, which enables i18n-based XSS attacks.

Recommendations For MediaWiki versions prior to 1.40.2, update to version 1.40.2 or later to resolve the issue. As a temporary workaround, consider disabling the PhonosButton.js file until a patch is available. Restrict access to the phonos-purge-needed-error message to minimize the risk of exploitation.