#VU34951 Cross-site scripting in MediaWiki - CVE-2019-19910

Cybersecurity Help s.r.o.

Published: 2019-12-19 | Updated: 2020-08-08

Vulnerability identifier: #VU34951

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-19910

CWE-ID: CWE-79

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
MediaWiki
Web applications / CMS

Vendor: MediaWiki.org

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The MinervaNeue Skin in MediaWiki from 2019-11-05 to 2019-12-13 (1.35 and/or 1.34) mishandles certain HTML attributes, as demonstrated by IMG onmouseover= (impact is XSS) and IMG src=http (impact is disclosing the client's IP address). This can occur within a talk page topical header that is viewed within a mobile (MobileFrontend) context.

Mitigation
Install update from vendor's website.

Vulnerable software versions

MediaWiki: 1.34 - 1.35

External links
https://gerrit.wikimedia.org/r/q/Ida471291f1698387a26736931ab17e6899e05b51
https://phabricator.wikimedia.org/T240487

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in MediaWiki