CVE-2023-22911

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-22911
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-22911.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-22911
Aliases
Downstream
Published
2023-01-10T08:15:10.433Z
Modified
2026-04-16T00:12:45.679600621Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context.

References

Affected packages

Git / github.com/wikimedia/mediawiki

Affected ranges

Type
GIT
Repo
https://github.com/wikimedia/mediawiki
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
4a804b4950cd62bfbd1991471308e27793ab2a27
Introduced
bc542ec6d8573dfb906b468901799e0017875f1e
Fixed
1b1d48cd6fa6d7aed8f8c3fc3e729ba0078152e7
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
c95fc4786beba034fa643062b98a60ccbde831fd
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.35.9"
        },
        {
            "introduced": "1.36.0"
        },
        {
            "fixed": "1.38.5"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.39.0-NA"
        }
    ]
}

Affected versions

1.*
1.1.0
1.10.0
1.10.0rc1
1.10.0rc2
1.10.1
1.10.2
1.10.3
1.10.4
1.11.0
1.11.0rc1
1.11.1
1.11.2
1.12.0
1.12.0rc1
1.12.1
1.12.2
1.12.3
1.12.4
1.13.0
1.13.0rc1
1.13.0rc2
1.13.1
1.13.2
1.13.3
1.13.4
1.13.5
1.14.0
1.14.0rc1
1.14.1
1.15.0
1.15.0rc1
1.15.1
1.15.2
1.15.3
1.15.4
1.15.5
1.16.0
1.16.0beta1
1.16.0beta2
1.16.0beta3
1.16.1
1.16.2
1.16.3
1.16.4
1.16.5
1.17.0
1.17.0beta1
1.17.0rc1
1.17.1
1.17.2
1.17.3
1.17.4
1.17.5
1.18.0
1.18.0beta1
1.18.0rc1
1.18.1
1.18.2
1.18.3
1.18.4
1.18.5
1.18.6
1.19.0
1.19.0beta1
1.19.0beta2
1.19.0rc1
1.19.1
1.19.10
1.19.11
1.19.12
1.19.13
1.19.14
1.19.15
1.19.16
1.19.17
1.19.18
1.19.19
1.19.2
1.19.20
1.19.21
1.19.22
1.19.23
1.19.24
1.19.3
1.19.4
1.19.5
1.19.6
1.19.7
1.19.8
1.19.9
1.2.0
1.2.0rc1
1.2.0rc2
1.2.0rc3
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.20.0
1.20.0rc1
1.20.0rc2
1.20.1
1.20.2
1.20.3
1.20.4
1.20.5
1.20.6
1.20.7
1.20.8
1.21.0
1.21.1
1.21.10
1.21.11
1.21.2
1.21.3
1.21.4
1.21.5
1.21.6
1.21.7
1.21.8
1.21.9
1.22.0
1.22.0rc-FINAL
1.22.0rc0
1.22.0rc1
1.22.0rc2
1.22.0rc3
1.22.1
1.22.10
1.22.11
1.22.12
1.22.13
1.22.14
1.22.15
1.22.2
1.22.3
1.22.4
1.22.5
1.22.6
1.22.7
1.22.8
1.22.9
1.23.0
1.23.0-rc.1
1.23.0-rc.2
1.23.0-rc.3
1.23.0rc0
1.23.1
1.23.10
1.23.11
1.23.12
1.23.13
1.23.14
1.23.15
1.23.16
1.23.17
1.23.2
1.23.3
1.23.4
1.23.5
1.23.6
1.23.7
1.23.8
1.23.9
1.24.0
1.24.0-rc.0
1.24.0-rc.1
1.24.0-rc.2
1.24.0-rc.3
1.24.1
1.24.2
1.24.3
1.24.4
1.24.5
1.24.6
1.25.0
1.25.0-rc.0
1.25.1
1.25.2
1.25.3
1.25.4
1.25.5
1.25.6
1.26.0
1.26.1
1.26.2
1.26.3
1.26.4
1.27.0
1.27.0-rc.0
1.27.0-rc.1
1.27.1
1.27.2
1.27.3
1.27.4
1.27.5
1.27.6
1.27.7
1.28.0
1.28.0-rc.0
1.28.0-rc.1
1.28.1
1.28.2
1.28.3
1.29.0
1.29.0-rc.0
1.29.0-rc.1
1.29.1
1.29.2
1.29.3
1.3.0
1.3.0beta1
1.3.0beta2
1.3.0beta3
1.3.0beta4
1.3.0beta4a
1.3.0beta5
1.3.0beta6
1.3.1
1.3.10
1.3.11
1.3.12
1.3.13
1.3.14
1.3.15
1.3.16
1.3.17
1.3.18
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9
1.30.0
1.30.0-rc.0
1.30.1
1.30.2
1.31.0
1.31.0-rc.0
1.31.0-rc.1
1.31.0-rc.2
1.31.1
1.31.10
1.31.11
1.31.12
1.31.13
1.31.14
1.31.15
1.31.16
1.31.2
1.31.3
1.31.4
1.31.5
1.31.6
1.31.7
1.31.8
1.31.9
1.31.9-2
1.32.0
1.32.0-rc.0
1.32.0-rc.1
1.32.0-rc.2
1.32.1
1.32.2
1.32.3
1.32.4
1.32.5
1.32.6
1.33.0
1.33.0-rc.0
1.33.1
1.33.2
1.33.3
1.33.4
1.34.0
1.34.0-rc.0
1.34.0-rc.1
1.34.1
1.34.2
1.34.3
1.34.4
1.35.0
1.35.0-rc.0
1.35.0-rc.1
1.35.0-rc.2
1.35.0-rc.3
1.35.1
1.35.2
1.35.3
1.35.4
1.35.5
1.35.6
1.35.7
1.35.8
1.36.0
1.36.0-rc.0
1.36.1
1.36.2
1.36.3
1.36.4
1.37.0
1.37.0-rc.0
1.37.0-rc.1
1.37.0-rc.2
1.37.1
1.37.2
1.37.3
1.37.4
1.37.5
1.37.6
1.38.0
1.38.0-rc.0
1.38.0-rc.1
1.38.1
1.38.2
1.38.3
1.38.4
1.39.0
1.39.0-rc.0
1.39.0-rc.1
1.4.0
1.4.0beta
1.4.0beta1
1.4.0beta2
1.4.0beta4
1.4.0beta5
1.4.0beta6
1.4.0rc1
1.4.1
1.4.10
1.4.11
1.4.12
1.4.13
1.4.14
1.4.15
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.4.9
1.40.0
1.40.0-rc.0
1.40.1
1.40.2
1.40.3
1.40.4
1.41.0
1.41.0-rc.0
1.41.1
1.41.2
1.41.3
1.41.4
1.41.5
1.42.0
1.42.0-rc.0
1.42.1
1.42.2
1.42.3
1.42.4
1.42.5
1.42.6
1.42.7
1.43.0
1.43.0-rc.0
1.43.1
1.43.2
1.43.3
1.43.4
1.43.5
1.43.6
1.44.0
1.44.0-rc.0
1.44.1
1.44.2
1.44.3
1.45.0
1.45.0-rc.0
1.45.1
1.5.0
1.5.0alpha1
1.5.0alpha2
1.5.0beta1
1.5.0beta2
1.5.0beta3
1.5.0beta4
1.5.0rc1
1.5.0rc2
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.6.0
1.6.1
1.6.10
1.6.11
1.6.12
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
1.7.0
1.7.1
1.7.2
1.7.3
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5
1.9.0
1.9.0rc1
1.9.0rc2
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6
Other
REL1_23
REL1_25
REL1_26
REL1_27
REL1_28
REL1_29
REL1_30
REL1_31
REL1_32
REL1_33
REL1_34
REL1_36
REL1_37
fundraising/REL1_27
fundraising/REL1_31

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-22911.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "1.39.0-rc0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "1.39.0-rc1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "37"
            }
        ]
    }
]