CVE-2022-28202

Description

An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries or Special:RevisionDelete.

How to fix CVE-2022-28202

To remediate CVE-2022-28202, upgrade the affected package to a fixed version below.

Bitnami/mediawiki—upgrade to 1.35.6 or later
Debian/mediawiki—upgrade to 1:1.35.8-1~deb11u1 or later

Is CVE-2022-28202 being exploited?

Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.35.6, >= 1.36.0, < 1.36.4, >= 1.37.0, < 1.37.2
from 0, < 1:1.35.8-1~deb11u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (7)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-28202
WEBlists.debian.org/debian-lts-announce/2022/09/msg00027.html
WEBlists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PT4CHJKOQOVMI65TSNZRNV6FIWU7SGZD/
WEBnvd.nist.gov/vuln/detail/CVE-2022-28202