CVE-2020-26120
MEDIUMMediaWiki < 1.34.4 - Cross-Site Scripting via MobileFrontend Section Line Regex Replacement
Title source: llmDescription
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even without the element being appended to the DOM.
References (3)
Core 3
Core References
Exploit, Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://phabricator.wikimedia.org/T262213
Vendor Advisory x_refsource_misc
https://gerrit.wikimedia.org/r/q/I42e079bc875d17b336ab015f3678eaedc26e10ea
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU6/
Scores
CVSS v3
6.1
EPSS
0.0028
EPSS Percentile
51.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (2)
fedoraproject/fedora
33
mediawiki/mediawiki
< 1.34.4
Published
Sep 27, 2020
Tracked Since
Feb 18, 2026