CVE-2024-23172

An issue was discovered in the CheckUser extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. XSS can occur via message definitions. e.g., in SpecialCheckUserLog.

Published: Jan 12, 2024
Updated: Jan 19, 2024
CVE: CVE-2024-23172
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
mediawiki / mediawiki	-	1.35.14
mediawiki / mediawiki	1.36.0	1.39.6
mediawiki / mediawiki	1.40.0	1.40.2

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/989179
https://phabricator.wikimedia.org/T347708

Vulnerability Database

289,689

CVE-2024-23172