Miggo Logo

CVE-2019-12471: MediaWiki Cross-site Scripting (XSS)

6.1

CVSS Score
3.0

Basic Information

EPSS Score
0.54515%
Published
5/24/2022
Updated
5/15/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
mediawiki/corecomposer>= 1.27.0, < 1.27.61.27.6
mediawiki/corecomposer>= 1.30.0, < 1.30.21.30.2
mediawiki/corecomposer>= 1.31.0, < 1.31.21.31.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from MediaWiki's handling of user subpages (e.g., User:NonExistent/script.js) through the raw action. The unpatched RawAction::execute function served these resources without checking if the user account actually existed. This allowed attackers to 1) create pages under non-existent user namespaces, 2) subsequently register those usernames, and 3) execute arbitrary code via imported scripts. The security patch added user existence checks specifically for JS/CSS/JSON subpages, which would have been implemented in the RawAction handler.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Wikim**i* M**i*Wiki *.**.* t*rou** *.**.* **s XSS. Lo**in* us*r J*v*S*ript *rom * non-*xist*nt ***ount *llows *nyon* to *r**t* t** ***ount, *n* p*r*orm XSS on us*rs lo**in* t**t s*ript. *ix** in *.**.*, *.**.*, *.**.* *n* *.**.*.

Reasoning

T** vuln*r**ility st*ms *rom M**i*Wiki's **n*lin* o* us*r su*p***s (*.*., Us*r:Non*xist*nt/s*ript.js) t*rou** t** r*w **tion. T** unp*t**** R*w**tion::*x**ut* *un*tion s*rv** t**s* r*sour**s wit*out ****kin* i* t** us*r ***ount **tu*lly *xist**. T*is