Vulnerability CVE-2021-30157: Information

Description

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On ChangesList special pages such as Special:RecentChanges and Special:Watchlist, some of the rcfilters-filter-* label messages are output in HTML unescaped, leading to XSS.

Severity: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-30157
Published: April 6, 2021
Modified: Nov. 7, 2023
Error type identifier: CWE-79

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
mediawikisisyphus1.35.2-alt11.40.1-alt2ALT-PU-2021-1712-1270649Fixed
mediawikip101.35.2-alt11.40.1-alt2ALT-PU-2021-1712-1270649Fixed
mediawikip91.36.1-alt11.36.1-alt1ALT-PU-2021-2091-1274917Fixed
mediawikic10f11.35.2-alt11.37.2-alt1ALT-PU-2021-1712-1270649Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://phabricator.wikimedia.org/T278058
  • Exploit
  • Issue Tracking
  • Patch
  • Vendor Advisory
DSA-4889
  • Third Party Advisory
GLSA-202107-40
  • Third Party Advisory
FEDORA-2021-f4223b6684
    FEDORA-2021-d298103d3a

        1. Configuration 1

          cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*
          Start including
          1.32.0
          End excliding
          1.35.2
          cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*
          End excliding
          1.31.12

          Configuration 2

          cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

          Configuration 3

          cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
          cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
      VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
      Version: v24.4.2
      Back to top