Vulnerability Details : CVE-2023-36675
An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, and 1.39.x before 1.39.4. BlockLogFormatter.php in BlockLogFormatter allows XSS in the partial blocks feature.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2023-36675
- cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-36675
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 47 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-36675
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2023-36675
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-36675
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UIVGYECQGTUC2LLPVCZBPDLCTOHL2F6/
[SECURITY] Fedora 37 Update: mediawiki-1.38.7-1.fc37 - package-announce - Fedora Mailing-Lists
-
https://www.mediawiki.org/wiki/Release_notes/1.40#Other_changes_in_1.40
Release notes/1.40 - MediaWikiVendor Advisory
-
https://www.debian.org/security/2023/dsa-5447
Debian -- Security Information -- DSA-5447-1 mediawikiThird Party Advisory
-
https://phabricator.wikimedia.org/T332889
⚓ T332889 XSS in BlockLogFormatter due to unsafe message useExploit;Issue Tracking
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DOAXEGYBOEM4JWB4J3BDH73NK2LCYC3O/
[SECURITY] Fedora 38 Update: mediawiki-1.39.4-1.fc38 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CHRX6DSLAMVXCV2YMJEWOLTBEYSESE5/
[SECURITY] Fedora 39 Update: mediawiki-1.39.4-1.fc39 - package-announce - Fedora Mailing-Lists
Jump to