CVE-2024-34500

Name of the Vulnerable Software and Affected Versions MediaWiki versions prior to 1.39.6 MediaWiki versions 1.40.x prior to 1.40.2 MediaWiki versions 1.41.x prior to 1.41.1

Description The issue is related to the UnlinkedWikibase extension in MediaWiki, where improper neutralization of input during web page creation can lead to cross-site scripting (XSS) attacks. This can allow a remote attacker to perform XSS attacks through an interface message. Error messages, stored in the $err variable, are not escaped before being passed to Html::rawElement() in the getError() function of the Hooks class.

Recommendations For MediaWiki versions prior to 1.39.6, update to version 1.39.6 or later. For MediaWiki versions 1.40.x prior to 1.40.2, update to version 1.40.2 or later. For MediaWiki versions 1.41.x prior to 1.41.1, update to version 1.41.1 or later. As a temporary workaround, consider disabling the UnlinkedWikibase extension until a patch is available. Restrict access to interface messages to minimize the risk of exploitation. Avoid using error messages in the $err variable in the affected getError() function until the issue is resolved.