CVE-2021-39186
Severity CVSS v4.0:
Pending analysis
Type:
CWE-20
Input Validation
Publication date:
01/09/2021
Last modified:
10/09/2021
Description
GlobalNewFiles is a MediaWiki extension maintained by Miraheze. Prior to commit number cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d, the username column of the GlobalNewFiles special page is vulnerable to a stored XSS. Commit number cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d contains a patch. As a workaround, one may disallow (or other characters required to insert html/js) from being used in account names so an XSS is not possible.
Impact
Base Score 3.x
6.10
Severity 3.x
MEDIUM
Base Score 2.0
4.30
Severity 2.0
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:a:miraheze:globalnewfiles:*:*:*:*:*:mediawiki:*:* | 2021-09-01 (excluding) |
To consult the complete list of CPE names with products and versions, see this page