CVE-2022-28202
MEDIUMMediaWiki < 1.35.6, 1.36.x < 1.36.4, 1.37.x < 1.37.2 - Cross-Site Scripting via Gallery and Special:RevisionDelete
Title source: llmDescription
An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries or Special:RevisionDelete.
References (5)
Core 5
Core References
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PT4CHJKOQOVMI65TSNZRNV6FIWU7SGZD/
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/09/msg00027.html
Third Party Advisory vendor-advisory
https://www.debian.org/security/2022/dsa-5246
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202305-24
Issue Tracking, Patch, Vendor Advisory
https://phabricator.wikimedia.org/T297543
Scores
CVSS v3
6.1
EPSS
0.0108
EPSS Percentile
78.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (3)
debian/debian_linux
10.0
fedoraproject/fedora
36
mediawiki/mediawiki
< 1.35.6
Published
Mar 30, 2022
Tracked Since
Feb 18, 2026