Description
Cross-site scripting (XSS) vulnerability in Special:PasswordReset in MediaWiki before 1.19.16, 1.21.x before 1.21.10, and 1.22.x before 1.22.7, when wgRawHtml is enabled, allows remote attackers to inject arbitrary web script or HTML via an invalid username.
References (8)
Core 8
Core References
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/58896
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1030364
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2014/06/04/15
Issue Tracking x_refsource_confirm
https://bugzilla.wikimedia.org/show_bug.cgi?id=65501
Patch, Vendor Advisory mailing-list
x_refsource_mlist
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-May/000151.html
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2014/dsa-2957
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/67787
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/58834
Scores
EPSS
0.0032
EPSS Percentile
55.5%
Details
CWE
CWE-79
Status
published
Products (33)
mediawiki/mediawiki
1.19.0
mediawiki/mediawiki
1.19.1
mediawiki/mediawiki
1.19.2
mediawiki/mediawiki
1.19.3
mediawiki/mediawiki
1.19.4
mediawiki/mediawiki
1.19.5
mediawiki/mediawiki
1.19.6
mediawiki/mediawiki
1.19.7
mediawiki/mediawiki
1.19.8
mediawiki/mediawiki
1.19.9
... and 23 more
Published
Jun 06, 2014
Tracked Since
Feb 18, 2026