Improper Input Validation in GlobalNewFiles
CVE-2021-39186

4.3MEDIUM

Key Information:

Vendor

Miraheze

Status
Globalnewfiles
Vendor
CVE Published:
1 September 2021
đź”” Create Miraheze Vulnerability Alert

What is CVE-2021-39186?

GlobalNewFiles is a MediaWiki extension maintained by Miraheze. Prior to commit number cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d, the username column of the GlobalNewFiles special page is vulnerable to a stored XSS. Commit number cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d contains a patch. As a workaround, one may disallow <,> (or other characters required to insert html/js) from being used in account names so an XSS is not possible.

Affected Version(s)

GlobalNewFiles < cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d

References

https://github.com/miraheze/GlobalNewFiles/security/advis...
x_refsource_CONFIRM
https://github.com/miraheze/GlobalNewFiles/commit/cee254e...
x_refsource_MISC
https://phabricator.miraheze.org/T7935
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.