Unrated severityNVD Advisory· Published Jul 2, 2022· Updated Aug 3, 2024
CVE-2022-34911
CVE-2022-34911
Description
An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the username, the username is not escaped: SpecialCreateAccount::successfulAction() calls ::showSuccessPage() with a message as second parameter, and OutputPage::setPageTitle() uses text().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3Patches
Vulnerability mechanics
References
6- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7N5ZBWLNNPZKFK7Q4KEHGCJ2YELQEUJP/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKKOQXPYLMBSEVDHFS32BPBR3ZQJKY5B/mitrevendor-advisory
- security.gentoo.org/glsa/202305-24mitrevendor-advisory
- www.debian.org/security/2022/dsa-5246mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2022/09/msg00027.htmlmitremailing-list
- phabricator.wikimedia.org/T308471mitre
News mentions
0No linked articles in our index yet.