CVE-2020-26120

XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even without the element being appended to the DOM.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 56%
VendorProductVersion
mediawikimediawiki
𝑥
< 1.34.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://gerrit.wikimedia.org/r/q/I42e079bc875d17b336ab015f3678eaedc26e10ea
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU6/
https://phabricator.wikimedia.org/T262213
https://gerrit.wikimedia.org/r/q/I42e079bc875d17b336ab015f3678eaedc26e10ea
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU6/
https://phabricator.wikimedia.org/T262213