CVE-2024-23173
Description
An issue was discovered in the Cargo extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:Drilldown page allows XSS via artist, album, and position parameters because of applied filter values in drilldown/CargoAppliedFilter.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in MediaWiki's Cargo extension allows attackers to inject arbitrary JavaScript via unsanitized filter values on Special:Drilldown.
Vulnerability
Overview
The Cargo extension for MediaWiki is vulnerable to a reflected cross-site scripting (XSS) attack on the Special:Drilldown page. The flaw, identified as CVE-2024-23173, resides in the CargoAppliedFilter.php file, where filter values derived from query parameters such as artist, album, and position are output without proper HTML escaping [1]. This allows an attacker to inject arbitrary JavaScript code into the page. The issue affects MediaWiki versions before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2 [1].
Exploitation
Prerequisites
Exploitation requires no special privileges; an attacker can craft a malicious link containing the injected script as a parameter value. When a victim visits this link while logged into the wiki, the injected JavaScript executes in the context of the victim's session [2]. The attack surface is the public-facing Special:Drilldown interface.
Impact
Successful exploitation enables the attacker to perform actions on behalf of the victim, including stealing session cookies, exfiltrating page content, or performing administrative actions if the victim has elevated rights [3]. The attack is classified with a medium risk rating [3].
Mitigation
Status
The fix was implemented in a commit that introduces htmlspecialchars() escaping to the applied filter values [4]. Administrators must upgrade their Cargo extension to the patched versions: MediaWiki 1.35.14, 1.39.6, 1.40.2, or later. No workaround is available if the patch cannot be applied.
- NVD - CVE-2024-23173
- GitHub - wikimedia/mediawiki-extensions-Cargo: Github mirror of MediaWiki extension Cargo - our actual code is hosted with Gerrit (please see https://www.mediawiki.org/wiki/Developer_access for contributing
- T348687 CVE-2024-23173: Reflected XSS Could Lead to Steal User Cookie
- Add escaping of applied filter values · wikimedia/mediawiki-extensions-Cargo@e4f0b7f
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mediawiki/cargoPackagist | < 1.35.14 | 1.35.14 |
mediawiki/cargoPackagist | >= 1.36.0, < 1.39.6 | 1.39.6 |
mediawiki/cargoPackagist | >= 1.40.0, < 1.40.2 | 1.40.2 |
Affected products
3- MediaWiki/Cargodescription
- osv-coords2 versions
< 1.41.1+ 1 more
- (no CPE)range: < 1.41.1
- (no CPE)range: < 1.35.14
Patches
1e4f0b7fb11daAdd escaping of applied filter values
1 file changed · +3 −0
drilldown/CargoAppliedFilter.php+3 −0 modified@@ -41,6 +41,9 @@ public static function create( $filter, $values, $search_terms = null, $lower_da if ( !is_array( $values ) ) { $values = [ $values ]; } + foreach ( $values as &$value ) { + $value = htmlspecialchars( $value ); + } foreach ( $values as $val ) { $filter_val = CargoFilterValue::create( $val, $filter ); $af->values[] = $filter_val;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-rhpm-63w5-79rgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-23173ghsaADVISORY
- gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/965214ghsaWEB
- github.com/wikimedia/mediawiki-extensions-Cargo/commit/e4f0b7fb11da0e4b18f2c416101965e417ba3bd2ghsaWEB
- phabricator.wikimedia.org/T348687ghsaWEB
News mentions
0No linked articles in our index yet.