Moderate severityNVD Advisory· Published Jan 12, 2024· Updated Jun 3, 2025
CVE-2024-23173
CVE-2024-23173
Description
An issue was discovered in the Cargo extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:Drilldown page allows XSS via artist, album, and position parameters because of applied filter values in drilldown/CargoAppliedFilter.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mediawiki/cargoPackagist | < 1.35.14 | 1.35.14 |
mediawiki/cargoPackagist | >= 1.36.0, < 1.39.6 | 1.39.6 |
mediawiki/cargoPackagist | >= 1.40.0, < 1.40.2 | 1.40.2 |
Affected products
3- osv-coords2 versions
< 1.41.1+ 1 more
- (no CPE)range: < 1.41.1
- (no CPE)range: < 1.35.14
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-rhpm-63w5-79rgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-23173ghsaADVISORY
- gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/965214ghsaWEB
- github.com/wikimedia/mediawiki-extensions-Cargo/commit/e4f0b7fb11da0e4b18f2c416101965e417ba3bd2ghsaWEB
- phabricator.wikimedia.org/T348687ghsaWEB
News mentions
0No linked articles in our index yet.