Description
Cross-site scripting (XSS) vulnerability in the ZeroRatedMobileAccess extension for MediaWiki 1.19.x before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to inject arbitrary web script or HTML via the "to" parameter to index.php.
References (3)
Core 3
Core References
Patch x_refsource_confirm
https://bugzilla.wikimedia.org/show_bug.cgi?id=55991
Patch mailing-list
x_refsource_mlist
http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/55754
Scores
EPSS
0.0036
EPSS Percentile
58.2%
Details
CWE
CWE-79
Status
published
Products (20)
mediawiki/mediawiki
1.19.0
mediawiki/mediawiki
1.19.1
mediawiki/mediawiki
1.19.2
mediawiki/mediawiki
1.19.3
mediawiki/mediawiki
1.19.4
mediawiki/mediawiki
1.19.5
mediawiki/mediawiki
1.19.6
mediawiki/mediawiki
1.19.7
mediawiki/mediawiki
1.19.8
mediawiki/mediawiki
1.20
... and 10 more
Published
Nov 25, 2013
Tracked Since
Feb 18, 2026