Description
Incomplete blacklist vulnerability in includes/upload/UploadBase.php in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via an application/xml MIME type for a nested SVG with a data: URI.
Remediation
References
Related Vulnerabilities
IBM WebSEAL CVE-2018-1850 Vulnerability (CVE-2018-1850)
AbanteCart Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2022-26521)
MediaWiki Improper Privilege Management Vulnerability (CVE-2020-10534)
WordPress Plugin WP ALL Export Pro Multiple Vulnerabilities (1.7.8)
WordPress Plugin WP Rollback Multiple Vulnerabilities (1.2.2)