Vulnerability Description
An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries or Special:RevisionDelete.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mediawiki | Mediawiki | < 1.35.6 |
| Fedoraproject | Fedora | 36 |
| Debian | Debian Linux | 10.0 |
Related Weaknesses (CWE)
References
- https://lists.debian.org/debian-lts-announce/2022/09/msg00027.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://phabricator.wikimedia.org/T297543Issue TrackingPatchVendor Advisory
- https://security.gentoo.org/glsa/202305-24
- https://www.debian.org/security/2022/dsa-5246Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/09/msg00027.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://phabricator.wikimedia.org/T297543Issue TrackingPatchVendor Advisory
- https://security.gentoo.org/glsa/202305-24
- https://www.debian.org/security/2022/dsa-5246Third Party Advisory
FAQ
What is CVE-2022-28202?
CVE-2022-28202 is a vulnerability with a CVSS score of 6.1 (MEDIUM). An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in...
How severe is CVE-2022-28202?
CVE-2022-28202 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-28202?
Check the references section above for vendor advisories and patch information. Affected products include: Mediawiki Mediawiki, Fedoraproject Fedora, Debian Debian Linux.