CVE-2021-36131
MEDIUMMediaWiki < 1.36 - Authenticated Stored Cross-Site Scripting in SportsTeams Extension
Title source: llmDescription
An XSS issue was discovered in the SportsTeams extension in MediaWiki through 1.36. Within several special pages, a privileged user could inject arbitrary HTML and JavaScript within various data fields. The attack could easily propagate across many pages for many users.
References (2)
Core 2
Core References
Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://phabricator.wikimedia.org/T281196
Patch, Vendor Advisory x_refsource_misc
https://gerrit.wikimedia.org/r/q/Ic312cc9b8463c8e7c3298a661abfcff2cc2332cb
Scores
CVSS v3
4.8
EPSS
0.0019
EPSS Percentile
40.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
mediawiki/mediawiki
< 1.36
Published
Jul 02, 2021
Tracked Since
Feb 18, 2026