Wikimedia Parsoid vulnerable to Cross-site Scripting (XSS)
Moderate severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Jun 7, 2024
Package
Affected versions
>= 0.12, < 0.12.2
< 0.11.1
Patched versions
0.12.2
0.11.1
Description
Published by the National Vulnerability Database
Apr 9, 2021
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Jun 7, 2024
Last updated
Jun 7, 2024
An issue was discovered in Wikimedia Parsoid before 0.11.1 and 0.12.x before 0.12.2. An attacker can send crafted wikitext that Utils/WTUtils.php will transform by using a tag, bypassing sanitization steps, and potentially allowing for XSS.
References