An issue was discovered in MediaWiki before 1.37.3 and 1.38.x before 1.38.1. The contributions-title, used on Special:Contributions, is used as page title without escaping. Hence, in a non-default configuration where a username contains HTML entities, it won't be escaped.
2022-07-02T20:15:08.417
2024-11-21T07:10:25.360
Modified
CVSSv3.1: 6.1 (MEDIUM)
AV:N/AC:M/Au:N/C:N/I:P/A:N
8.6
2.9
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | mediawiki | mediawiki | < 1.37.3 | Yes |
| Application | mediawiki | mediawiki | 1.38.0 | Yes |
| Application | mediawiki | mediawiki | 1.38.0 | Yes |
| Application | mediawiki | mediawiki | 1.38.0 | Yes |
| Operating System | fedoraproject | fedora | 36 | Yes |
| Operating System | fedoraproject | fedora | 37 | Yes |