CVE-2021-30458

An issue was discovered in Wikimedia Parsoid before 0.11.1 and 0.12.x before 0.12.2. An attacker can send crafted wikitext that Utils/WTUtils.php will transform by using a <meta> tag, bypassing sanitization steps, and potentially allowing for XSS.

References

Affected packages

Git / github.com/wikimedia/mediawiki-services-parsoid

Affected ranges

Type

GIT

Repo

https://github.com/wikimedia/mediawiki-services-parsoid

Events

Introduced

Fixed

682ac3f9f1381a3c2264d1eb0efbd3eba9e41608

Introduced

4062d23e3660fd34b2adc30a9b883f73415b1607

Fixed

15169a678f9f468ff6465035a32f28e8ec82003f

Database specific

{
    "source": "CPE_FIELD",
    "cpe": "cpe:2.3:a:wikimedia:parsoid:*:*:*:*:*:node.js:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.11.1"
        },
        {
            "introduced": "0.12.0"
        },
        {
            "fixed": "0.12.2"
        }
    ]
}

Affected versions

v0.*

v0.10.0

v0.11.0

v0.12.0

v0.12.1

v0.2.0

v0.3.0

v0.4.0

v0.4.1

v0.5.0

v0.5.1

v0.5.2

v0.6.0

v0.6.1

v0.7.0

v0.7.1

v0.8.0

v0.9.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-30458.json"