Main Vulnerability Database Vulnerabilities #VU31006

#VU31006 Cross-site scripting in MediaWiki - CVE-2019-12471

Published: July 10, 2019 / Updated: July 17, 2020

Vulnerability identifier: #VU31006

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-12471

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
MediaWiki

Software vendor:
MediaWiki.org

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from a non-existent account allows anyone to create the account, and perform XSS on users loading that script. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

Remediation

Install update from vendor's website.

External links

https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html
https://phabricator.wikimedia.org/T207603
https://seclists.org/bugtraq/2019/Jun/12
https://www.debian.org/security/2019/dsa-4460

#VU31006 Cross-site scripting in MediaWiki - CVE-2019-12471

Description

Remediation

External links

Please verify you're human