Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-34500

An issue was discovered in the UnlinkedWikibase extension in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. XSS can occur through an interface message. Error messages (in the $err var) are not escaped before being passed to Html::rawElement() in the getError() function in the Hooks class.

Published

2024-05-05T19:15:07.123

Last Modified

2025-06-11T14:44:14.040

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 6.1 (MEDIUM)

Weaknesses

Type: Secondary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	mediawiki	mediawiki	< 1.39.6	Yes
Application	mediawiki	mediawiki	< 1.40.2	Yes
Application	mediawiki	mediawiki	< 1.41.1	Yes
Operating System	fedoraproject	fedora	40	Yes

References

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/UnlinkedWikibase/+/1002175 Patch, Vendor Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISY/ Third Party Advisory ([email protected])
https://phabricator.wikimedia.org/T357203 Issue Tracking, Vendor Advisory ([email protected])
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/UnlinkedWikibase/+/1002175 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISY/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://phabricator.wikimedia.org/T357203 Issue Tracking, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)