CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37302
https://notcve.org/view.php?id=CVE-2023-37302
An issue was discovered in SiteLinksView.php in Wikibase in MediaWiki through 1.39.3. There is XSS via a crafted badge title attribute. This is also related to lack of escaping in wbTemplate (from resources/wikibase/templates.js) for quotes (which can be in a title attribute). • https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Wikibase/+/933649 https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Wikibase/+/933650 https://phabricator.wikimedia.org/T339111 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37301
https://notcve.org/view.php?id=CVE-2023-37301
An issue was discovered in SubmitEntityAction in Wikibase in MediaWiki through 1.39.3. Because it doesn't use EditEntity for undo and restore, the intended interaction with AbuseFilter does not occur. • https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Wikibase/+/933663 https://phabricator.wikimedia.org/T250720 •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37304
https://notcve.org/view.php?id=CVE-2023-37304
An issue was discovered in the DoubleWiki extension for MediaWiki through 1.39.3. includes/DoubleWiki.php allows XSS via the column alignment feature. • https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DoubleWiki/+/932825 https://phabricator.wikimedia.org/T323651 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37300
https://notcve.org/view.php?id=CVE-2023-37300
An issue was discovered in the CheckUserLog API in the CheckUser extension for MediaWiki through 1.39.3. There is incorrect access control for visibility of hidden users. • https://gerrit.wikimedia.org/r/q/I993fdcae1fedb7dd543b35a477026bc727615b0a https://phabricator.wikimedia.org/T330968 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37255
https://notcve.org/view.php?id=CVE-2023-37255
An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. In Special:CheckUser, a check of the "get edits" type is vulnerable to HTML injection through the User-Agent HTTP request header. • https://phabricator.wikimedia.org/T333569 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •