CVE-2012-4378
MEDIUMMediaWiki < 1.18.5 and 1.19.x < 1.19.2 - Cross-Site Scripting via Userlang Parameter
Title source: llmDescription
Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki before 1.18.5 and 1.19.x before 1.19.2, when unspecified JavaScript gadgets are used, allow remote attackers to inject arbitrary web script or HTML via the userlang parameter to w/index.php.
References (6)
Core 6
Core References
Mailing List, Patch, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/08/31/6
Patch, Vendor Advisory mailing-list
x_refsource_mlist
https://lists.wikimedia.org/pipermail/mediawiki-announce/2012-August/000119.html
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=853417
Issue Tracking, Patch, Vendor Advisory x_refsource_confirm
https://phabricator.wikimedia.org/T39587
Mailing List, Patch, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/08/31/10
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330
Scores
CVSS v3
6.1
EPSS
0.0051
EPSS Percentile
66.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (3)
mediawiki/mediawiki
1.19.0
mediawiki/mediawiki
1.19.1
mediawiki/mediawiki
< 1.18.4
Published
Oct 26, 2017
Tracked Since
Feb 18, 2026