Vulnerability Description
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On Special:NewFiles, all the mediastatistics-header-* messages are output in HTML unescaped, leading to XSS.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mediawiki | Mediawiki | < 1.31.12 |
| Debian | Debian Linux | 10.0 |
| Fedoraproject | Fedora | 33 |
Related Weaknesses (CWE)
References
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://phabricator.wikimedia.org/T278014ExploitIssue TrackingPatch
- https://security.gentoo.org/glsa/202107-40Third Party Advisory
- https://www.debian.org/security/2021/dsa-4889Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://phabricator.wikimedia.org/T278014ExploitIssue TrackingPatch
- https://security.gentoo.org/glsa/202107-40Third Party Advisory
- https://www.debian.org/security/2021/dsa-4889Third Party Advisory
FAQ
What is CVE-2021-30154?
CVE-2021-30154 is a vulnerability with a CVSS score of 6.1 (MEDIUM). An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On Special:NewFiles, all the mediastatistics-header-* messages are output in HTML unescaped, leading to XSS...
How severe is CVE-2021-30154?
CVE-2021-30154 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-30154?
Check the references section above for vendor advisories and patch information. Affected products include: Mediawiki Mediawiki, Debian Debian Linux, Fedoraproject Fedora.