CVE-2020-26120

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-26120

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-26120.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-26120

Aliases

BIT-mediawiki-2020-26120

Published

2020-09-27T21:15:13Z

Modified

2025-11-14T10:59:39.965106Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even without the element being appended to the DOM.

References

Affected packages

Git / github.com/wikimedia/mediawiki

Affected ranges

Type: GIT
Repo: https://github.com/wikimedia/mediawiki
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

e34e7f20b51ed7514ba6de8d8a390363ade2237f

Affected versions

1.*

1.1.0

1.3.0beta1

1.34.0

1.34.0-rc.0

1.34.0-rc.1

1.34.1

1.34.2

1.34.3

1.5.0alpha1

1.5.0alpha2

1.5.0beta1

1.5.0beta2

1.5.0beta3

1.5.0beta4

1.6.0