MediaWiki before 1.23.16, 1.24.x through 1.27.x before 1...
High severity
Unreviewed
Published
Feb 20, 2022
to the GitHub Advisory Database
•
Updated Feb 3, 2023
Description
Published by the National Vulnerability Database
Feb 18, 2022
Published to the GitHub Advisory Database
Feb 20, 2022
Last updated
Feb 3, 2023
MediaWiki before 1.23.16, 1.24.x through 1.27.x before 1.27.2, and 1.28.x before 1.28.1 allows remote attackers to discover the IP addresses of Wiki visitors via a style="background-image: attr(title url);" attack within a DIV element that has an attacker-controlled URL in the title attribute.
References