CVE-2021-39186

Severity CVSS v4.0:
Pending analysis
Type:
CWE-20 Input Validation
Publication date:
01/09/2021
Last modified:
10/09/2021

Description

GlobalNewFiles is a MediaWiki extension maintained by Miraheze. Prior to commit number cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d, the username column of the GlobalNewFiles special page is vulnerable to a stored XSS. Commit number cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d contains a patch. As a workaround, one may disallow (or other characters required to insert html/js) from being used in account names so an XSS is not possible.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:miraheze:globalnewfiles:*:*:*:*:*:mediawiki:*:* 2021-09-01 (excluding)