CVE-2024-23179

Name of the Vulnerable Software and Affected Versions MediaWiki versions prior to 1.40.2 GlobalBlocking extension versions prior to 1.40.2

Description The issue is related to the GlobalBlocking extension in MediaWiki, where improper input neutralization during web page creation can lead to security issues. An attacker can exploit this to perform cross-site scripting attacks. Specifically, for a Special:GlobalBlock?uselang=x-xss URI, i18n-based XSS can occur via the parentheses message, affecting subtitle links in buildSubtitleLinks.

Recommendations For MediaWiki versions prior to 1.40.2, update to version 1.40.2 or later to resolve the issue. For the GlobalBlocking extension, ensure it is updated to a version compatible with MediaWiki 1.40.2 or later. As a temporary workaround, consider restricting access to the Special:GlobalBlock page until the update is applied. Avoid using the uselang parameter with the x-xss value in the Special:GlobalBlock URI until the issue is resolved.