CVE-2013-4303
MEDIUMMediaWiki 1.19.0-1.19.7 - Cross-Site Scripting via API siprop Parameter
Title source: llmDescription
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php.
References (5)
Core 5
Core References
Mailing List, Patch, Vendor Advisory x_refsource_misc
http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html
Mailing List, Third Party Advisory x_refsource_misc
http://seclists.org/oss-sec/2013/q3/553
Exploit, Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://bugzilla.wikimedia.org/show_bug.cgi?id=52746
Third Party Advisory, VDB Entry x_refsource_misc
http://www.securityfocus.com/bid/62194
Third Party Advisory, VDB Entry x_refsource_misc
https://exchange.xforce.ibmcloud.com/vulnerabilities/86897
Scores
CVSS v3
6.1
EPSS
0.0057
EPSS Percentile
68.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
mediawiki/mediawiki
1.19.0 - 1.19.8
Published
Dec 11, 2019
Tracked Since
Feb 18, 2026