CVE-2024-34507

Name of the Vulnerable Software and Affected Versions MediaWiki versions prior to 1.39.7 MediaWiki versions 1.40.x prior to 1.40.3 MediaWiki versions 1.41.x prior to 1.41.1

Description The issue is related to the incorrect neutralization of input during web page creation in the includes/CommentFormatter/CommentParser.php file of MediaWiki. This can allow a remote attacker to perform cross-site scripting (XSS) attacks. The vulnerability is caused by the mishandling of the 0x1b character. An example of the exploitation is demonstrated by the Special:RecentChanges#%1b0000000 endpoint.

Recommendations For MediaWiki versions prior to 1.39.7, update to version 1.39.7 or later. For MediaWiki versions 1.40.x prior to 1.40.3, update to version 1.40.3 or later. For MediaWiki versions 1.41.x prior to 1.41.1, update to version 1.41.1 or later. As a temporary workaround, consider restricting access to the includes/CommentFormatter/CommentParser.php file until a patch is available. Avoid using the 0x1b character in user input until the issue is resolved.