Description
MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. MediaWiki:blanknamespace potentially can be output as raw HTML with SCRIPT tags via LogFormatter::makePageLink(). This affects MediaWiki 1.33.0 and later.
Remediation
References
Related Vulnerabilities
phpMyFAQ Sensitive Cookie in HTTPS Session Without 'Secure' Attribute Vulnerability (CVE-2023-5866)
UAParser.js Other Vulnerability (CVE-2021-27292)
MySQL Permissions, Privileges, and Access Controls Vulnerability (CVE-2008-4097)
PHP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2014-4721)
WordPress Plugin Swipe Checkout for Jigoshop Cross-Site Scripting (3.1.0)