CVE-2013-4573
Description
Cross-site scripting (XSS) vulnerability in the ZeroRatedMobileAccess extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via the 'to' parameter to index.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting (XSS) vulnerability in the ZeroRatedMobileAccess extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via the 'to' parameter to index.php.
Vulnerability
The ZeroRatedMobileAccess extension for MediaWiki contains a reflected cross-site scripting (XSS) vulnerability in the to parameter passed to index.php via the Special:ZeroRatedMobileAccess page. This affects MediaWiki versions 1.19.x before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3. The vulnerability is present in the extension's handling of user-supplied input that is not properly escaped before being reflected in the response [1][2].
Exploitation
An attacker can exploit this by crafting a malicious URL that includes a JavaScript payload in the to parameter, for example: https://ha.m.wikipedia.org/w/index.php?title=Special:ZeroRatedMobileAccess&from=File:Wikiversity-logo.svg&to=javascript:alert(document.cookie). The attacker does not require authentication; the victim need only visit the crafted link. The parameter value is reflected without sanitization, allowing arbitrary script execution in the victim's browser [2].
Impact
Successful exploitation allows an attacker to inject arbitrary web script or HTML into the page, leading to cross-site scripting (XSS). This can result in session hijacking, data theft, defacement, or redirection to malicious sites. The attack operates in the context of the victim's session on the affected MediaWiki site, potentially compromising any data accessible to that user [1][2].
Mitigation
The vulnerability was fixed in MediaWiki releases 1.19.9, 1.20.8, and 1.21.3, published on November 13, 2013 [1]. Administrators should upgrade to these or later versions. The fix is also available as a patch in Gerrit (Ie301c3) [2]. There are no known workarounds for unpatched installations; the only mitigation is to apply the update.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
21cpe:2.3:a:mediawiki:mediawiki:1.19.0:*:*:*:*:*:*:*+ 19 more
- cpe:2.3:a:mediawiki:mediawiki:1.19.0:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.2:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.3:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.4:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.5:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.6:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.7:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.19.8:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.20:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.20.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.20.2:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.20.3:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.20.4:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.20.5:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.20.6:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.20.7:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.21:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.21.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.21.2:*:*:*:*:*:*:*
- Range: 1.19.x < 1.19.9, 1.20.x < 1.20.8, 1.21.x < 1.21.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.