Vulnerability Details : CVE-2019-19328
ui/editor/tooltip/Rdf.js in Wikibase Wikidata Query Service GUI before 0.3.6-SNAPSHOT 2019-11-07 allows HTML injection in tooltips for entities. NOTE: this GUI code is no longer bundled with the Wikibase Wikidata Query Service snapshots, such as 0.3.6-SNAPSHOT.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2019-19328
- cpe:2.3:a:wikimedia:wikidata_query_gui:*:*:*:*:*:*:*:*
- cpe:2.3:a:wikimedia:wikidata_query_gui:0.3.6:-:*:*:*:*:*:*
- cpe:2.3:a:wikimedia:wikidata_query_gui:0.3.6:2019-11-07:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-19328
0.63%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 68 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-19328
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2019-19328
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-19328
-
https://gerrit.wikimedia.org/r/#/c/553311/
Change I2ceda691: Fix two HTML injections | gerrit.wikimedia Code ReviewMailing List;Patch;Vendor Advisory
-
https://lists.wikimedia.org/pipermail/wikidata-tech/2019-November/001503.html
[Wikidata-tech] Wikibase: new security fix available for the Query Service GUIMailing List;Patch;Vendor Advisory
-
https://gerrit.wikimedia.org/g/wikidata/query/gui/+/270f833cff8fdc1e050230ecc9f7dfc4d090d90d
270f833cff8fdc1e050230ecc9f7dfc4d090d90d - wikidata/query/gui - GitilesMailing List;Patch;Vendor Advisory
Jump to