CVE-2022-34912

MEDIUM

MediaWiki < 1.37.3 and 1.38.x < 1.38.1 - Cross-Site Scripting in Special:Contributions Page Title

Title source: llm
STIX 2.1

Description

An issue was discovered in MediaWiki before 1.37.3 and 1.38.x before 1.38.1. The contributions-title, used on Special:Contributions, is used as page title without escaping. Hence, in a non-default configuration where a username contains HTML entities, it won't be escaped.

References (6)

Core 6

Scores

CVSS v3 6.1
EPSS 0.0060
EPSS Percentile 69.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

Status published
Products (4)
fedoraproject/fedora 36
fedoraproject/fedora 37
mediawiki/mediawiki 1.38.0 (3 CPE variants)
mediawiki/mediawiki < 1.37.3
Published Jul 02, 2022
Tracked Since Feb 18, 2026