Description
An issue was discovered in the UnlinkedWikibase extension in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. XSS can occur through an interface message. Error messages (in the $err var) are not escaped before being passed to Html::rawElement() in the getError() function in the Hooks class.
References (4)
Core 4
Core References
Patch, Vendor Advisory
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/UnlinkedWikibase/+/1002175
Issue Tracking, Vendor Advisory
https://phabricator.wikimedia.org/T357203
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISY/
Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISY/
Scores
CVSS v3
6.1
EPSS
0.0030
EPSS Percentile
53.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (3)
fedoraproject/fedora
40
mediawiki/mediawiki
< 1.39.6
samwilson/unlinked-wikibase
0 - 1.42.0Packagist
Published
May 05, 2024
Tracked Since
Feb 18, 2026