CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37254
https://notcve.org/view.php?id=CVE-2023-37254
An issue was discovered in the Cargo extension for MediaWiki through 1.39.3. XSS can occur in Special:CargoQuery via a crafted page item when using the default format. • https://phabricator.wikimedia.org/T331065 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37251
https://notcve.org/view.php?id=CVE-2023-37251
An issue was discovered in the GoogleAnalyticsMetrics extension for MediaWiki through 1.39.3. The googleanalyticstrackurl parser function does not properly escape JavaScript in the onclick handler and does not prevent use of javascript: URLs. • https://phabricator.wikimedia.org/T333980 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37255
https://notcve.org/view.php?id=CVE-2023-37255
An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. In Special:CheckUser, a check of the "get edits" type is vulnerable to HTML injection through the User-Agent HTTP request header. • https://phabricator.wikimedia.org/T333569 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2023-36675
https://notcve.org/view.php?id=CVE-2023-36675
An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, and 1.39.x before 1.39.4. BlockLogFormatter.php in BlockLogFormatter allows XSS in the partial blocks feature. Se descubrió un problema en MediaWiki antes de 1.35.11, 1.36.x hasta 1.38.x antes de 1.38.7 y 1.39.x antes de 1.39.4. BlockLogFormatter.php en BlockLogFormatter permite XSS en la función de bloques parciales. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2UIVGYECQGTUC2LLPVCZBPDLCTOHL2F6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CHRX6DSLAMVXCV2YMJEWOLTBEYSESE5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DOAXEGYBOEM4JWB4J3BDH73NK2LCYC3O https://phabricator.wikimedia.org/T332889 https://www.debian.org/security/2023/dsa-5447 https://www.mediawiki.org/wiki/Release_notes/1.40#Other_changes_in_1.40 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2022-41766
https://notcve.org/view.php?id=CVE-2022-41766
An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. Upon an action=rollback operation, the alreadyrolled message can leak a user name (when the user has been revision deleted/suppressed). • https://phabricator.wikimedia.org/T307278 • CWE-732: Incorrect Permission Assignment for Critical Resource •