CVE-2020-10960
Description
In MediaWiki before 1.34.1, users can add various Cascading Style Sheets (CSS) classes (which can affect what content is shown or hidden in the user interface) to arbitrary DOM nodes via HTML content within a MediaWiki page. This occurs because jquery.makeCollapsible allows applying an event handler to any Cascading Style Sheets (CSS) selector. There is no known way to exploit this for cross-site scripting (XSS).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In MediaWiki before 1.34.1, the jquery.makeCollapsible module allows users to apply event handlers to arbitrary CSS selectors, enabling manipulation of the UI but not XSS.
Vulnerability
CVE-2020-10960 is a security issue in MediaWiki versions prior to 1.34.1, 1.33.3, and 1.31.7. The vulnerability resides in the jquery.makeCollapsible module, which allows users to specify a CSS selector via the id attribute on span elements with class mw-collapsible. When a user includes HTML such as a on a wiki page, the module applies event handlers and modifies DOM attributes (like adding tabindex=0 and the mw-customtoggle class) to all elements matching that selector. This effectively lets editors control which DOM nodes respond to clicks for collapsing or expanding content, potentially including interface elements like the ` tag or using a wildcard selector like *` [1][2].
Exploitation
To exploit this, an attacker must have the ability to edit a wiki page and insert crafted HTML. On Wikimedia sites, this is possible because they use $wgFragmentMode = [ 'html5', 'legacy' ], which preserves the vulnerable id attribute format. The attacker does not need elevated privileges beyond normal edit rights. The exploitation does not lead to cross-site scripting (XSS) because the event handlers only trigger collapsible toggling behavior; however, it can interfere with administrative actions by modifying interface interactions, such as hijacking click events on parts of the page [2][3].
Impact
The primary impact is a UI manipulation vulnerability. An attacker can cause unintended show/hide behavior on arbitrary page elements or interface components. While the official description states there is no known XSS vector, the ability to attach handlers to any CSS selector could disrupt admin workflows (e.g., making it harder to revert edits or delete a page). The maintainers noted that this is a minor issue but could be combined with other bugs for more serious consequences, though no such combination was demonstrated [2].
Mitigation
MediaWiki released patched versions 1.34.1, 1.33.3, and 1.31.7 that fix the vulnerability by using $.escapeSelector to sanitize the CSS selector input, preventing arbitrary selectors from being accepted. The fix was committed in Gerrit and available in the security release announced on the wikitech-l mailing list [3][4]. Administrators are advised to upgrade to these versions or apply the patch if remaining on older branches.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mediawiki/corePackagist | >= 1.31.0, < 1.31.7 | 1.31.7 |
mediawiki/corePackagist | >= 1.33.0, < 1.33.3 | 1.33.3 |
mediawiki/corePackagist | >= 1.34.0, < 1.34.1 | 1.34.1 |
Affected products
3- MediaWiki/MediaWikidescription
- osv-coords2 versions
< 1.34.1+ 1 more
- (no CPE)range: < 1.34.1
- (no CPE)range: >= 1.31.0, < 1.31.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-pfm2-mqwj-ggm5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-10960ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/mediawiki/core/CVE-2020-10960.yamlghsaWEB
- lists.wikimedia.org/pipermail/wikitech-l/2020-March/093243.htmlghsax_refsource_CONFIRMWEB
- phabricator.wikimedia.org/T246602ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.