Skip to content

Improper Input Validation in GlobalNewFiles

Moderate
RhinosF1 published GHSA-57p5-hqjq-h7vg Sep 1, 2021

Package

GlobalNewFiles (MediaWiki Extension)

Affected versions

Before cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d

Patched versions

cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d

Description

Impact

The username column of the GlobalNewFiles special page is vulnerable to a stored XSS.

Patches

To be released

Workarounds

Disallow <,> (or other charecters required to insert html/js) from being used in account names so an XSS isn't possible.

References

https://phabricator.miraheze.org/T7935

For more information

If you have any questions or comments about this advisory:

Severity

Moderate
4.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVE ID

CVE-2021-39186

Weaknesses

Credits