Description
An issue was discovered in SiteLinksView.php in Wikibase in MediaWiki through 1.39.3. There is XSS via a crafted badge title attribute. This is also related to lack of escaping in wbTemplate (from resources/wikibase/templates.js) for quotes (which can be in a title attribute).
Remediation
References
Related Vulnerabilities
WordPress Plugin WP Statistics SQL Injection (13.1.4)
Ruby on Rails CVE-2019-5418 Vulnerability (CVE-2019-5418)
MongoDb Reachable Assertion Vulnerability (CVE-2026-5170)
WordPress Plugin Brizy-Page Builder Security Bypass (1.0.125)
WordPress Plugin Advanced Access Manager Cross-Site Scripting (6.7.9)