-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability is a stored Cross-site Scripting (XSS) issue in the Cargo extension for Mediawiki. The analysis of the provided commit e50915626c0d9a7b222dabc94ddfcb516caf557d clearly points to the vulnerable function. The patch modifies the printFilterValue function in the CargoDrilldownPage.php file. Previously, this function would return a raw, unescaped value which was then rendered on the page. This allowed for the injection of malicious HTML and JavaScript. The fix involves wrapping the returned value with htmlspecialchars, which properly escapes the output and mitigates the XSS vulnerability. Therefore, the printFilterValue function is the exact location of the vulnerability.
CargoDrilldownPage.printFilterValuedrilldown/CargoDrilldownPage.php
Ongoing coverage of React2Shell
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| mediawiki/cargo | composer | < 3.8.3 | 3.8.3 |
PHPPHP