In Wikibase Wikidata Query Service GUI before 0.3.6-SNAPSHOT 2019-11-07, when mathematical expressions in results are displayed directly, arbitrary JavaScript execution can occur, aka XSS. This was addressed by introducing MathJax as a new mathematics rendering engine. NOTE: this GUI code is no longer bundled with the Wikibase Wikidata Query Service snapshots, such as 0.3.6-SNAPSHOT.
References
Link | Resource |
---|---|
https://gerrit.wikimedia.org/g/wikidata/query/gui/+/d9f964b88c01748e278ca8c4b8929a8ef0ef0267 | Mailing List Patch Vendor Advisory |
https://gerrit.wikimedia.org/r/#/c/wikidata/query/gui/+/549457/ | Patch Vendor Advisory |
https://lists.wikimedia.org/pipermail/wikidata-tech/2019-November/001492.html | Vendor Advisory |
https://phabricator.wikimedia.org/T233213 | Exploit Issue Tracking Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2019-11-27T15:28:10
Updated: 2019-11-28T23:22:42
Reserved: 2019-11-27T00:00:00
Link: CVE-2019-19329
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-11-27T16:15:11.660
Modified: 2019-12-18T18:13:12.107
Link: CVE-2019-19329
JSON object: View
Redhat Information
No data.
CWE