CVE-2024-34500
Description
An issue was discovered in the UnlinkedWikibase extension in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. XSS can occur through an interface message. Error messages (in the $err var) are not escaped before being passed to Html::rawElement() in the getError() function in the Hooks class.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In MediaWiki's UnlinkedWikibase extension, getError() fails to escape user-controllable error messages before passing to Html::rawElement(), enabling XSS with elevated permissions.
Vulnerability
CVE-2024-34500 describes a cross-site scripting (XSS) vulnerability in the UnlinkedWikibase extension for MediaWiki. The issue lies in the getError() function within the Hooks class, where error messages stored in the $err variable are not escaped before being passed to Html::rawElement(). This allows an attacker who can control interface messages to inject arbitrary HTML and JavaScript into the rendered output. [1][2]
Exploitation
Exploitation requires the attacker to have permission to modify interface messages (e.g., through the MediaWiki message system). When an error is triggered, the unescaped message is passed to Html::rawElement(), which renders it as raw HTML. This can lead to stored XSS if the attacker can set a malicious interface message that is later displayed as an error. The vulnerability was reported via the Wikimedia Phabricator and has a risk rating of Low due to the elevated permissions needed. [1]
Impact
A successful attack could allow the attacker to inject arbitrary scripts or HTML into the wiki interface, potentially leading to session hijacking, defacement, or other actions in the context of the victim's browser. However, the privilege requirement limits the exploit's reach. [1][2]
Mitigation
The vulnerability is fixed in MediaWiki versions 1.39.6, 1.40.2, and 1.41.1. The patch changes the message handling from ->text() to ->escaped() to ensure output is safely escaped. Users are advised to update their installations immediately. The fix is available in the Gerrit change at reference [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
samwilson/unlinked-wikibasePackagist | < 1.42.0 | 1.42.0 |
Affected products
3- MediaWiki/MediaWiki UnlinkedWikibasedescription
- osv-coords2 versions
< 1.41.1+ 1 more
- (no CPE)range: < 1.41.1
- (no CPE)range: < 1.42.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-wcx3-63mm-h8x6ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISY/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2024-34500ghsaADVISORY
- gerrit.wikimedia.org/r/c/mediawiki/extensions/UnlinkedWikibase/+/1002175ghsaWEB
- gerrit.wikimedia.org/r/mediawiki/extensions/UnlinkedWikibase.gitghsaPACKAGE
- github.com/github/advisory-database/pull/5310ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISYghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISYghsaWEB
- phabricator.wikimedia.org/T357203ghsaWEB
News mentions
0No linked articles in our index yet.