Vulnerability Description
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even without the element being appended to the DOM.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mediawiki | Mediawiki | < 1.34.4 |
| Fedoraproject | Fedora | 33 |
Related Weaknesses (CWE)
References
- https://gerrit.wikimedia.org/r/q/I42e079bc875d17b336ab015f3678eaedc26e10eaVendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://phabricator.wikimedia.org/T262213ExploitIssue TrackingPatch
- https://gerrit.wikimedia.org/r/q/I42e079bc875d17b336ab015f3678eaedc26e10eaVendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://phabricator.wikimedia.org/T262213ExploitIssue TrackingPatch
FAQ
What is CVE-2020-26120?
CVE-2020-26120 is a vulnerability with a CVSS score of 6.1 (MEDIUM). XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can el...
How severe is CVE-2020-26120?
CVE-2020-26120 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-26120?
Check the references section above for vendor advisories and patch information. Affected products include: Mediawiki Mediawiki, Fedoraproject Fedora.