Sunday, January 2, 2022

MediaWiki: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-2021-45472)

Description
In MediaWiki through 1.37, XSS can occur in Wikibase because an external identifier property can have a URL format that includes a $1 formatter substitution marker, and the javascript: URL scheme (among others) can be used.
Solution(s)
  • mediawiki-upgrade-latest


  • References
  • https://attackerkb.com/topics/cve-2021-45472
  • CVE - 2021-45472
  • https://gerrit.wikimedia.org/r/q/I37ece1dfdc80d38055067c9c4fa73ba591acd8bd
  • https://phabricator.wikimedia.org/T297570




  •  

    Copyright © 2021 Vulnerability Database | Cyber Details™

    thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore