Vulnerability Details : CVE-2024-34507
An issue was discovered in includes/CommentFormatter/CommentParser.php in MediaWiki before 1.39.7, 1.40.x before 1.40.3, and 1.41.x before 1.41.1. XSS can occur because of mishandling of the 0x1b character, as demonstrated by Special:RecentChanges#%1b0000000.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2024-34507
Please log in to view affected product information.
Exploit prediction scoring system (EPSS) score for CVE-2024-34507
0.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 38 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2024-34507
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.4
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N |
2.8
|
4.0
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2024-07-03 |
CWE ids for CVE-2024-34507
-
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
References for CVE-2024-34507
-
https://phabricator.wikimedia.org/T355538
⚓ T355538 CVE-2024-: XSS in edit summary parser
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISY/
[SECURITY] Fedora 40 Update: php-oojs-oojs-ui-0.48.1-1.fc40 - package-announce - Fedora Mailing-Lists
Jump to