An issue was discovered in the CampaignEvents extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:EventDetails page allows XSS via the x-xss language setting for internationalization (i18n).

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors Products
Mediawiki
  • Mediawiki

Configuration 1 [-]

OR cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*
cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*
cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*
References
Link Resource
https://gerrit.wikimedia.org/r/q/I70d71c409193e904684dfb706d424b0a815fa6f6 Patch
https://phabricator.wikimedia.org/T348343 Exploit Vendor Advisory
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2024-01-12T00:00:00

Updated: 2024-01-12T04:40:13.720196

Reserved: 2024-01-12T00:00:00

Link: CVE-2024-23171

JSON object: View

cve-icon NVD Information

Status : Analyzed

Published: 2024-01-12T05:15:10.033

Modified: 2024-01-18T20:23:45.707

Link: CVE-2024-23171

JSON object: View

cve-icon Redhat Information

No data.

CWE