CVE-2023-45359

MEDIUM

MediaWiki <1.39.5-1.40.1 - XSS

Title source: llm

Description

An issue was discovered in the Vector Skin component for MediaWiki before 1.39.5 and 1.40.x before 1.40.1. vector-toc-toggle-button-label is not escaped, but should be, because the line param can have markup.

References (2)

[Issue Tracking] https://phabricator.wikimedia.org/T340217

[Various Sources] https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/skins/Vector/+/c17b956e0750e051ac7c1098e3ff625f0db82b2c

Scores

CVSS v3 6.5

EPSS 0.0022

EPSS Percentile 44.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-116

Status published

Published Oct 09, 2024

Tracked Since Feb 18, 2026