Description
An issue was discovered in the GlobalWatchlist extension in MediaWiki through 1.36.2. The rev-deleted-user and ntimes messages were not properly escaped and allowed for users to inject HTML and JavaScript.
Remediation
References
Related Vulnerabilities
WordPress 5.8.x Directory Traversal (5.8 - 5.8.9)
Oracle Database Server CVE-2006-5336 Vulnerability (CVE-2006-5336)
PostgreSQL Other Vulnerability (CVE-2015-3165)
Drupal Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2012-0826)
MediaWiki URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2017-0364)