CVE-2024-34500

An issue was discovered in the UnlinkedWikibase extension in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. XSS can occur through an interface message. Error messages (in the $err var) are not escaped before being passed to Html::rawElement() in the getError() function in the Hooks class.

Published: May 5, 2024
Updated: May 6, 2024
CVE: CVE-2024-34500
Exploit:

No technical information available.

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
mediawiki / mediawiki	1.40.0	1.40.2
mediawiki / mediawiki	-	1.39.6
mediawiki / mediawiki	1.41.0	1.41.1
fedoraproject / fedora	40	40.x

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/UnlinkedWikibase/+/1002175
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISY/
https://phabricator.wikimedia.org/T357203

Vulnerability Database

289,697

CVE-2024-34500