Description
Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via certain non-ASCII characters in CSS, as demonstrated using variations of "expression" containing (1) full width characters or (2) IPA extensions, which are converted and rendered by Internet Explorer.
Remediation
References
Related Vulnerabilities
Atlassian Jira CVE-2020-36286 Vulnerability (CVE-2020-36286)
PHP Permissions, Privileges, and Access Controls Vulnerability (CVE-2007-3378)
WordPress Plugin ListingPro Local File Inclusion (2.9.3)
Atlassian Confluence Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2012-6342)
WordPress Plugin underConstruction Cross-Site Scripting (1.18)