Cross-site Scripting in ShortDescription extension
CVE-2022-21710

4.7MEDIUM

Key Information:

Vendor

Starcitizentools

Status
Mediawiki-extensions-shortdescription
Vendor
CVE Published:
24 January 2022

What is CVE-2022-21710?

ShortDescription is a MediaWiki extension that provides local short description support. A cross-site scripting (XSS) vulnerability exists in versions prior to 2.3.4. On a wiki that has the ShortDescription enabled, XSS can be triggered on any page or the page with the action=info parameter, which displays the shortdesc property. This is achieved using the wikitext {{SHORTDESC:<img src=x onerror=alert()>}}. This issue has a patch in version 2.3.4.

Affected Version(s)

mediawiki-extensions-ShortDescription < 2.3.4

References

https://github.com/StarCitizenTools/mediawiki-extensions-...
x_refsource_CONFIRM
https://github.com/StarCitizenTools/mediawiki-extensions-...
x_refsource_MISC
https://github.com/StarCitizenTools/mediawiki-extensions-...
x_refsource_MISC

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.