UBUNTU-CVE-2020-35475

Source
https://ubuntu.com/security/CVE-2020-35475
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-35475.json
JSON Data
https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2020-35475
Related
Published
2020-12-18T08:15:00Z
Modified
2024-10-15T14:07:49Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

In MediaWiki before 1.35.1, the messages userrights-expiry-current and userrights-expiry-none can contain raw HTML. XSS can happen when a user visits Special:UserRights but does not have rights to change all userrights, and the table on the left side has unchangeable groups in it. (The right column with the changeable groups is not affected and is escaped correctly.)

References

Affected packages

Ubuntu:Pro:18.04:LTS / mediawiki

Package

Name
mediawiki
Purl
pkg:deb/ubuntu/mediawiki?arch=src?distro=esm-apps/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:1.*

1:1.27.3-1
1:1.27.4-1
1:1.27.4-2
1:1.27.4-3

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:20.04:LTS / mediawiki

Package

Name
mediawiki
Purl
pkg:deb/ubuntu/mediawiki?arch=src?distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:1.*

1:1.31.2-1ubuntu1
1:1.31.5-1
1:1.31.5-1ubuntu1
1:1.31.5-2
1:1.31.5-3
1:1.31.5-3ubuntu1
1:1.31.6-1
1:1.31.7-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / mediawiki

Package

Name
mediawiki
Purl
pkg:deb/ubuntu/mediawiki?arch=src?distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:1.*

1:1.35.3-1
1:1.35.4-1
1:1.35.5-1
1:1.35.5-1ubuntu1
1:1.35.5-1ubuntu2
1:1.35.5-1ubuntu3
1:1.35.6-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / mediawiki

Package

Name
mediawiki
Purl
pkg:deb/ubuntu/mediawiki?arch=src?distro=oracular

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:1.*

1:1.39.7-1
1:1.39.8-1
1:1.39.8-1build1
1:1.39.10-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / mediawiki

Package

Name
mediawiki
Purl
pkg:deb/ubuntu/mediawiki?arch=src?distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:1.*

1:1.39.4-2
1:1.39.5-1
1:1.39.6-1
1:1.39.7-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}