Description

An issue was discovered in CentralAuth in MediaWiki through 1.36.2. The rightsnone MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the setchange log.

Remediation

References

CVE-2021-42041

Related Vulnerabilities

Drupal Core 4.6.x Arbitrary Code Execution (4.6.0 - 4.6.7)

e107 Other Vulnerability (CVE-2004-2040)

Drupal Core 6.x Session Hijacking (6.0 - 6.33)

WordPress Plugin MF Gig Calendar 'page_id' Parameter Cross-Site Scripting (0.9.4.1)

MediaWiki Insufficiently Protected Credentials Vulnerability (CVE-2020-35623)

Severity

Medium

Classification

CVE-2021-42041 CWE-707 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Tags

Missing Update Known Vulnerabilities