CVE-2021-30154

Description

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On Special:NewFiles, all the mediastatistics-header-* messages are output in HTML unescaped, leading to XSS.

How to fix CVE-2021-30154

To remediate CVE-2021-30154, upgrade the affected package to a fixed version below.

Bitnami/mediawiki—upgrade to 1.31.12 or later
Debian/mediawiki—upgrade to 1:1.35.2-1 or later

Is CVE-2021-30154 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.31.12, >= 1.32.0, < 1.35.2
from 0, < 1:1.35.2-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (7)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-30154
WEBlists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/26UJGHF7LJDOCQN6A3Z4PM7PYRKENJHE/
WEBlists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OMSV7B2TCFBOCICN3B4SMQP5HVRJQIT/
WEB