CVE-2023-37251: XSS
First published: Thu Jun 29 2023(Updated: )
An issue was discovered in the GoogleAnalyticsMetrics extension for MediaWiki through 1.39.3. The googleanalyticstrackurl parser function does not properly escape JavaScript in the onclick handler and does not prevent use of javascript: URLs.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| MediaWiki MediaWiki | <=1.39.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2023-37251.
What is the affected software?
The affected software is MediaWiki versions up to and including 1.39.3.
What is the severity of CVE-2023-37251?
The severity of CVE-2023-37251 is medium.
What is the Common Vulnerabilities and Exposures (CVE) entry for this vulnerability?
The Common Vulnerabilities and Exposures (CVE) entry for this vulnerability is CVE-2023-37251.
How can I fix this vulnerability?
To fix this vulnerability, update MediaWiki to version 1.39.4 or later.
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/description
- agent/type
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/mediawiki
- canonical/mediawiki mediawiki
- version/mediawiki mediawiki/1.39.3