CVE-2024-34500: MediaWiki UnlinkedWikibase Cross-site Scripting vulnerability
(updated )
An issue was discovered in the UnlinkedWikibase extension in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. XSS can occur through an interface message. Error messages (in the $err var) are not escaped before being passed to Html::rawElement() in the getError() function in the Hooks class.
References
- gerrit.wikimedia.org/r/c/mediawiki/extensions/UnlinkedWikibase/+/1002175
- gerrit.wikimedia.org/r/mediawiki/extensions/UnlinkedWikibase.git
- github.com/advisories/GHSA-wcx3-63mm-h8x6
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISY
- nvd.nist.gov/vuln/detail/CVE-2024-34500
- phabricator.wikimedia.org/T357203
Detect and mitigate CVE-2024-34500 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →