Bug 2081078 (CVE-2022-29969) - CVE-2022-29969 mediawiki: Cross-site scripting (XSS) in RSS plugin
Summary: CVE-2022-29969 mediawiki: Cross-site scripting (XSS) in RSS plugin
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2022-29969
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2081079
Blocks: 2081092
TreeView+ depends on / blocked
 
Reported: 2022-05-02 17:16 UTC by Todd Cullum
Modified: 2022-05-04 14:54 UTC (History)
12 users (show)

Fixed In Version: mediawiki 1.39.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the RSS extension of MediaWiki. This flaw allows a remote attacker to cause a Cross-site scripting (XSS) attack if the feed is in $wgRSSUrlWhitelist and the $wgRSSAllowLinkTag is true.
Clone Of:
Environment:
Last Closed: 2022-05-04 09:45:19 UTC
Embargoed:


Attachments (Terms of Use)

Description Todd Cullum 2022-05-02 17:16:34 UTC
The RSS extension before 2022-04-29 for MediaWiki allows XSS via an rss element (if the feed is in $wgRSSUrlWhitelist and $wgRSSAllowLinkTag is true).

References:
https://phabricator.wikimedia.org/T307028
https://gerrit.wikimedia.org/r/c/787807

Comment 1 Todd Cullum 2022-05-02 17:16:50 UTC
Created mediawiki tracking bugs for this issue:

Affects: fedora-all [bug 2081079]

Comment 3 Product Security DevOps Team 2022-05-04 09:45:16 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-29969


Note You need to log in before you can comment on or make changes to this bug.