CVE-2022-28202

An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries or Special:RevisionDelete.

Published: Mar 30, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-28202
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
mediawiki / mediawiki	-	1.35.6
mediawiki / mediawiki	1.36.0	1.36.4
mediawiki / mediawiki	1.37.0	1.37.2
fedoraproject / fedora	36	36.x
debian / debian_linux	10.0	10.0.x

https://lists.debian.org/debian-lts-announce/2022/09/msg00027.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/PT4CHJKOQOVMI65TSNZRNV6FIWU7SGZD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PT4CHJKOQOVMI65TSNZRNV6FIWU7SGZD/
https://phabricator.wikimedia.org/T297543
https://security.gentoo.org/glsa/202305-24
https://www.debian.org/security/2022/dsa-5246

Vulnerability Database

289,784

CVE-2022-28202