First published: Wed Oct 06 2021(Updated: )
An issue was discovered in Special:MediaSearch in the MediaSearch extension in MediaWiki through 1.36.2. The suggestion text (a parameter to mediasearch-did-you-mean) was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the intitle: search operator within the query.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
MediaWiki MediaWiki | <=1.36.2 | |
<=1.36.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2021-42043.
The affected software is MediaWiki version up to and including 1.36.2.
The severity rating for this vulnerability is medium (CVSS score 6.1).
The vulnerability can be exploited by injecting and executing HTML and JavaScript through the intitle: search operator in Special:MediaSearch.
Yes, there are references available: [1] [2]