CVE-2024-34507
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary
An XSS vulnerability exists in MediaWiki before versions 1.39.7, 1.40.x before 1.40.3, and 1.41.x before 1.41.1 due to improper handling of the 0x1b character in includes/CommentFormatter/CommentParser.php. An attacker can inject malicious scripts into Special:RecentChanges by sending a crafted 0x1b character sequence.
Impact
This vulnerability could allow an attacker to execute arbitrary script in the context of the vulnerable MediaWiki site. Impact includes theft of user credentials, website defacement, spreading malware to users, and potentially full server compromise if the MediaWiki software is running with elevated privileges.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
Yes, patched versions of MediaWiki are available - 1.39.7, 1.40.3 and 1.41.1. Upgrading to these fixed releases will resolve the issue.
Mitigation
Until patched versions can be installed, apply strict input validation and output encoding on user-supplied data rendered in web pages. Web application firewalls may also help detect and block attempted XSS attacks.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Timeline
NVD published the first details for CVE-2024-34507
Feedly found the first article mentioning CVE-2024-34507. See article
Feedly estimated the CVSS score as MEDIUM
RedHat CVE advisory released a security advisory (CVE-2024-34507).
A CVSS base score of 5.3 has been assigned.
EPSS Score was set to: 0.04% (Percentile: 8.3%)
Detection for the vulnerability has been added to Nessus (195321)
A CVSS base score of 7.4 has been assigned.
Detection for the vulnerability has been added to Qualys (285781)