CVE-2024-23173: MediaWiki Cargo Extension Cross-site Scripting vulnerability

January 12, 2024 (updated September 29, 2025)

An issue was discovered in the Cargo extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:Drilldown page allows XSS via artist, album, and position parameters because of applied filter values in drilldown/CargoAppliedFilter.php.

References

gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/965214
github.com/advisories/GHSA-rhpm-63w5-79rg
github.com/wikimedia/mediawiki-extensions-Cargo
github.com/wikimedia/mediawiki-extensions-Cargo/commit/e4f0b7fb11da0e4b18f2c416101965e417ba3bd2
nvd.nist.gov/vuln/detail/CVE-2024-23173
phabricator.wikimedia.org/T348687

Code Behaviors & Features

Detect and mitigate CVE-2024-23173 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →