Description

An issue was discovered in SpecialEditGrowthConfig in the GrowthExperiments extension in MediaWiki through 1.36.2. The growthexperiments-edit-config-error-invalid-title MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript.

Remediation

References

CVE-2021-42042

Related Vulnerabilities

Jenkins Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-1000170)

WordPress Plugin InstaWP Connect-1-click WP Staging & Migration Security Bypass (0.1.0.38)

Magento Improper Authentication Vulnerability (CVE-2015-3457)

WordPress Plugin Newsletters Multiple Vulnerabilities (4.6.6.2)

PostgreSQL Permissions, Privileges, and Access Controls Vulnerability (CVE-2007-2138)

Severity

Medium

Classification

CVE-2021-42042 CWE-707 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities