Vulnerability CVE-2020-35479: Information
Description
MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. Language::translateBlockExpiry itself does not escape in all code paths. For example, the return of Language::userTimeAndDate is is always unsafe for HTML in a month value. This affects MediaWiki 1.12.0 and later.
Severity: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
mediawiki | sisyphus | 1.35.1-alt1 | 1.40.1-alt2 | ALT-PU-2020-3554-1 | 263831 | Fixed |
mediawiki | p10 | 1.35.1-alt1 | 1.40.1-alt2 | ALT-PU-2020-3554-1 | 263831 | Fixed |
mediawiki | p9 | 1.35.1-alt1 | 1.36.1-alt1 | ALT-PU-2020-3568-1 | 263837 | Fixed |
mediawiki | c10f1 | 1.35.1-alt1 | 1.37.2-alt1 | ALT-PU-2020-3554-1 | 263831 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
---|---|
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000268.html |
|
https://phabricator.wikimedia.org/T268938 |
|
DSA-4816 |
|
[debian-lts-announce] 20201223 [SECURITY] [DLA 2504-1] mediawiki security update |
|
FEDORA-2020-0be2d40e13 |