alistair3149

5 exploits Active since Jan 2022
CVE-2022-21710 WRITEUP MEDIUM WRITEUP
Mediawiki Shortdescription < 2.3.4 - XSS
ShortDescription is a MediaWiki extension that provides local short description support. A cross-site scripting (XSS) vulnerability exists in versions prior to 2.3.4. On a wiki that has the ShortDescription enabled, XSS can be triggered on any page or the page with the action=info parameter, which displays the shortdesc property. This is achieved using the wikitext `{{SHORTDESC:&lt;img src=x onerror=alert()&gt;}}`. This issue has a patch in version 2.3.4.
CVSS 4.7
CVE-2024-47536 WRITEUP MEDIUM WRITEUP
MediaWiki <2.31.0 - XSS
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. A user with the editmyprivateinfo right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload. This vulnerability is fixed in 2.31.0.
CVSS 5.4
CVE-2025-21612 WRITEUP HIGH WRITEUP
Starcitizentools Tabber-neue < 2.7.2 - Basic XSS
TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Prior to 2.7.2, TabberTransclude.php doesn't escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here. This vulnerability is fixed in 2.7.2.
CVSS 8.6
CVE-2025-49577 WRITEUP MEDIUM WRITEUP
Citizen < 3.3.1 - XSS
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various preferences messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This vulnerability is fixed in 3.3.1.
CVSS 6.5
CVE-2025-53093 WRITEUP HIGH WRITEUP
Starcitizentools Tabber-neue < 3.1.1 - Basic XSS
TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Starting in version 3.0.0 and prior to version 3.1.1, any user can insert arbitrary HTMLinto the DOM by inserting a payload into any allowed attribute of the `<tabber>` tag. Version 3.1.1 contains a patch for the bug.
CVSS 8.6