CVE-2021-41798

Description

MediaWiki before 1.36.2 allows XSS. Month related MediaWiki messages are not escaped before being used on the Special:Search results page.

How to fix CVE-2021-41798

To remediate CVE-2021-41798, upgrade the affected package to a fixed version below.

• Bitnami/mediawiki—upgrade to 1.36.2 or later
• Debian/mediawiki—upgrade to 1:1.35.4-1~deb11u1 or later

Is CVE-2021-41798 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 1.36.2
• from 0, < 1:1.35.4-1~deb11u1

CVSS scores

References (7)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-41798
• WEBlists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CJDYJQWT43GBD6GNQ4OW7JOZ6WQ6DZTN/
• WEBlists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDBPECBWN6LWNSWIQMVXK6PP4YFEUYHA/