CVE-2013-4303

EPSS 1.5%

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 1.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

11 Dec 2019Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php.

Affected products

Wikimedia Foundation · MediaWiki

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html https://bugzilla.wikimedia.org/show_bug.cgi?id=52746 http://seclists.org/oss-sec/2013/q3/553 https://exchange.xforce.ibmcloud.com/vulnerabilities/86897 http://www.securityfocus.com/bid/62194