CVE-2019-12471
Description
Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from a non-existent account allows anyone to create the account, and perform XSS on users loading that script. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Loading user JavaScript from a non-existent account in MediaWiki 1.30.0-1.32.1 allows anyone to create the account and perform XSS on users loading that script.
Vulnerability
CVE-2019-12471 is a cross-site scripting (XSS) vulnerability in MediaWiki versions 1.30.0 through 1.32.1. The root cause is that MediaWiki allows loading user JavaScript from pages such as User:Foo/bar.js even when the user account Foo does not exist. This creates a dangerous situation where an attacker can register the non-existent account and then control the content of the script, leading to XSS when other users load it via importScript [1][3].
Exploitation
To exploit this vulnerability, an attacker only needs the ability to register a new account on the wiki (if registration is open) and then create a user script page under that account. Any user who loads the script via importScript('User:Foo/bar.js') will execute the attacker's JavaScript in their browser. No additional authentication or network position is required beyond standard wiki access [2][3].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, data theft, defacement, or other malicious actions performed on behalf of the victim [1][4].
Mitigation
The vulnerability is fixed in MediaWiki versions 1.32.2, 1.31.2, 1.30.2, and 1.27.6. The Debian security advisory DSA-4460-1 also addresses this issue [2][4]. Users are strongly advised to upgrade, especially as MediaWiki 1.30 and 1.27 have reached their end-of-life dates and will no longer receive security updates [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mediawiki/corePackagist | >= 1.27.0, < 1.27.6 | 1.27.6 |
mediawiki/corePackagist | >= 1.30.0, < 1.30.2 | 1.30.2 |
mediawiki/corePackagist | >= 1.31.0, < 1.31.2 | 1.31.2 |
Affected products
2- Wikimedia/MediaWikidescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-2rm7-xxx8-35jhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-12471ghsaADVISORY
- www.debian.org/security/2019/dsa-4460ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/mediawiki/core/CVE-2019-12471.yamlghsaWEB
- lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.htmlghsax_refsource_CONFIRMWEB
- phabricator.wikimedia.org/T207603ghsax_refsource_MISCWEB
- seclists.org/bugtraq/2019/Jun/12ghsamailing-listx_refsource_BUGTRAQWEB
News mentions
0No linked articles in our index yet.