Fluid Attacks Database

Description

MediaWiki Cross-site Scripting (XSS) vulnerability An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34.4. LogEventList::getFiltersDesc is insecurely using message text to build options names for an HTML multi-select field. The relevant code should use escaped() instead of text().

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	mediawiki	>=0 <1:1.35.0-1	1:1.35.0-1
packagist	mediawiki/core	>=1.32.0 <1.34.3 \|\| >=1.35.0-rc.0 <1.35.0	1.34.3, 1.35.0
debian 11	mediawiki	>=0 <1:1.35.0-1	1:1.35.0-1
debian 12	mediawiki	>=0 <1:1.35.0-1	1:1.35.0-1
debian 14	mediawiki	>=0 <1:1.35.0-1	1:1.35.0-1

Aliases

1. CVE-2020-258152. NVD-2020-258153. OSV-DEBIAN-2020-258154. OSV-2020-258155. GCVE-2020-258156. SECURITY-TRACKER-CVE-2020-25815

References

1. https://gerrit.wikimedia.org/g/mediawiki/core/+/ec76e14be658187544f07c1a249a047e1a75eaf8/includes/logging/LogEventsList.php#2142. https://github.com/FriendsOfPHP/security-advisories/blob/master/mediawiki/core/CVE-2020-25815.yaml3. https://lists.fedoraproject.org/archives/list/[email protected]/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU64. https://lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048480.html5. https://lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048488.html6. https://phabricator.wikimedia.org/T256171