An issue exists in Wikimedia Parsoid prior to 0.11.1 and 0.12.x prior to 0.12.2. An attacker can send crafted wikitext that Utils/WTUtils.php will transform by using a <meta> tag, bypassing sanitization steps, and potentially allowing for XSS.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
wikimedia parsoid |