Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-34911

An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the username, the username is not escaped: SpecialCreateAccount::successfulAction() calls ::showSuccessPage() with a message as second parameter, and OutputPage::setPageTitle() uses text().

Published

2022-07-02T20:15:08.373

Last Modified

2024-11-21T07:10:25.193

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.1 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	mediawiki	mediawiki	< 1.35.7	Yes
Application	mediawiki	mediawiki	< 1.37.3	Yes
Application	mediawiki	mediawiki	1.38.0	Yes
Application	mediawiki	mediawiki	1.38.0	Yes
Application	mediawiki	mediawiki	1.38.0	Yes
Operating System	fedoraproject	fedora	36	Yes
Operating System	fedoraproject	fedora	37	Yes

References

https://lists.debian.org/debian-lts-announce/2022/09/msg00027.html Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7N5ZBWLNNPZKFK7Q4KEHGCJ2YELQEUJP/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKKOQXPYLMBSEVDHFS32BPBR3ZQJKY5B/ ([email protected])
https://phabricator.wikimedia.org/T308471 Issue Tracking, Vendor Advisory ([email protected])
https://security.gentoo.org/glsa/202305-24 ([email protected])
https://www.debian.org/security/2022/dsa-5246 Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2022/09/msg00027.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7N5ZBWLNNPZKFK7Q4KEHGCJ2YELQEUJP/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKKOQXPYLMBSEVDHFS32BPBR3ZQJKY5B/ (af854a3a-2127-422b-91ae-364da2661108)
https://phabricator.wikimedia.org/T308471 Issue Tracking, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202305-24 (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2022/dsa-5246 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)