Published: 18/12/2020 Updated: 07/11/2023

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

MediaWiki prior to 1.35.1 allows XSS via BlockLogFormatter.php. Language::translateBlockExpiry itself does not escape in all code paths. For example, the return of Language::userTimeAndDate is is always unsafe for HTML in a month value. This affects MediaWiki 1.12.0 and later.

Vulnerable Product	Search on Vulmon	Subscribe to Product
mediawiki mediawiki
debian debian linux 9.0
debian debian linux 10.0
fedoraproject fedora 33

Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in cross-site scripting or the disclosure of hidden users For the stable distribution (buster), these problems have been fixed in version 1:13112-1~deb10u1 We recommend that you upgrade your mediawiki packages For the detailed sec ...

MediaWiki before 1351 allows XSS via BlockLogFormatterphp Language::translateBlockExpiry itself does not escape in all code paths For example, the return of Language::userTimeAndDate is is always unsafe for HTML in a month value This affects MediaWiki 1120 and later ...

CWE-79 https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000268.html https://phabricator.wikimedia.org/T268938 https://www.debian.org/security/2020/dsa-4816 https://lists.debian.org/debian-lts-announce/2020/12/msg00034.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STT5Z4A3BCXVH3WIPICWU2FP4IPIMUPC/https://nvd.nist.gov https://www.debian.org/security/2020/dsa-4816

CVE-2020-35479

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect