CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37256
https://notcve.org/view.php?id=CVE-2023-37256
An issue was discovered in the Cargo extension for MediaWiki through 1.39.3. It allows one to store javascript: URLs in URL fields, and automatically links these URLs. • https://phabricator.wikimedia.org/T331311 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37254
https://notcve.org/view.php?id=CVE-2023-37254
An issue was discovered in the Cargo extension for MediaWiki through 1.39.3. XSS can occur in Special:CargoQuery via a crafted page item when using the default format. • https://phabricator.wikimedia.org/T331065 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37251
https://notcve.org/view.php?id=CVE-2023-37251
An issue was discovered in the GoogleAnalyticsMetrics extension for MediaWiki through 1.39.3. The googleanalyticstrackurl parser function does not properly escape JavaScript in the onclick handler and does not prevent use of javascript: URLs. • https://phabricator.wikimedia.org/T333980 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37255
https://notcve.org/view.php?id=CVE-2023-37255
An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. In Special:CheckUser, a check of the "get edits" type is vulnerable to HTML injection through the User-Agent HTTP request header. • https://phabricator.wikimedia.org/T333569 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2023-36675
https://notcve.org/view.php?id=CVE-2023-36675
An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, and 1.39.x before 1.39.4. BlockLogFormatter.php in BlockLogFormatter allows XSS in the partial blocks feature. Se descubrió un problema en MediaWiki antes de 1.35.11, 1.36.x hasta 1.38.x antes de 1.38.7 y 1.39.x antes de 1.39.4. BlockLogFormatter.php en BlockLogFormatter permite XSS en la función de bloques parciales. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2UIVGYECQGTUC2LLPVCZBPDLCTOHL2F6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CHRX6DSLAMVXCV2YMJEWOLTBEYSESE5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DOAXEGYBOEM4JWB4J3BDH73NK2LCYC3O https://phabricator.wikimedia.org/T332889 https://www.debian.org/security/2023/dsa-5447 https://www.mediawiki.org/wiki/Release_notes/1.40#Other_changes_in_1.40 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •