CVE-2016-6334
Published on: 04/20/2017 12:00:00 AM UTC
Last Modified on: 03/23/2021 11:27:11 PM UTC
Certain versions of Mediawiki from Mediawiki contain the following vulnerability:
Cross-site scripting (XSS) vulnerability in the Parser::replaceInternalLinks2 method in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via vectors involving replacement of percent encoding in unclosed internal links.
- CVE-2016-6334 has been assigned by
[email protected] to track the vulnerability - currently rated as MEDIUM severity.
CVSS3 Score: 6.1 - MEDIUM
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
|
---|---|---|---|---|
NETWORK | LOW | NONE | REQUIRED | |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
|
CHANGED | LOW | LOW | NONE |
CVSS2 Score: 4.3 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | MEDIUM | NONE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
NONE | PARTIAL | NONE |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
[MediaWiki-announce] Security Release - 1.27.1, 1.26.4, 1.23.15 | Mailing List Patch Vendor Advisory lists.wikimedia.org text/html |
![]() |
Mediawiki 'Parser::replaceInternalLinks2()' Method Cross-Site Scripting Vulnerability | cve.report (archive) text/html |
![]() |
1369613 – (CVE-2016-6331, CVE-2016-6332, CVE-2016-6333, CVE-2016-6334, CVE-2016-6335, CVE-2016-6336) CVE-2016-6331 CVE-2016-6332 CVE-2016-6333 CVE-2016-6334 CVE-2016-6335 CVE-2016-6336 mediawiki: multiple flaws fixed in 1.27.1, 1.26.4 and 1.23.15 | Issue Tracking bugzilla.redhat.com text/html |
![]() |
⚓ T137264 XSS in Parser::replaceInternalLinks2 during replacement of percent encoding in unclosed internal links | Patch Third Party Advisory phabricator.wikimedia.org text/html |
![]() |
There are currently no QIDs associated with this CVE
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Mediawiki | Mediawiki | 1.26.0 | All | All | All |
Application | Mediawiki | Mediawiki | 1.26.1 | All | All | All |
Application | Mediawiki | Mediawiki | 1.26.2 | All | All | All |
Application | Mediawiki | Mediawiki | 1.26.3 | All | All | All |
Application | Mediawiki | Mediawiki | 1.26.4 | All | All | All |
Application | Mediawiki | Mediawiki | 1.27.0 | All | All | All |
Application | Mediawiki | Mediawiki | 1.26.0 | All | All | All |
Application | Mediawiki | Mediawiki | 1.26.1 | All | All | All |
Application | Mediawiki | Mediawiki | 1.26.2 | All | All | All |
Application | Mediawiki | Mediawiki | 1.26.3 | All | All | All |
Application | Mediawiki | Mediawiki | 1.26.4 | All | All | All |
Application | Mediawiki | Mediawiki | 1.27.0 | All | All | All |
Application | Mediawiki | Mediawiki | All | All | All | All |
- cpe:2.3:a:mediawiki:mediawiki:1.26.0:*:*:*:*:*:*:*:
- cpe:2.3:a:mediawiki:mediawiki:1.26.1:*:*:*:*:*:*:*:
- cpe:2.3:a:mediawiki:mediawiki:1.26.2:*:*:*:*:*:*:*:
- cpe:2.3:a:mediawiki:mediawiki:1.26.3:*:*:*:*:*:*:*:
- cpe:2.3:a:mediawiki:mediawiki:1.26.4:*:*:*:*:*:*:*:
- cpe:2.3:a:mediawiki:mediawiki:1.27.0:*:*:*:*:*:*:*:
- cpe:2.3:a:mediawiki:mediawiki:1.26.0:*:*:*:*:*:*:*:
- cpe:2.3:a:mediawiki:mediawiki:1.26.1:*:*:*:*:*:*:*:
- cpe:2.3:a:mediawiki:mediawiki:1.26.2:*:*:*:*:*:*:*:
- cpe:2.3:a:mediawiki:mediawiki:1.26.3:*:*:*:*:*:*:*:
- cpe:2.3:a:mediawiki:mediawiki:1.26.4:*:*:*:*:*:*:*:
- cpe:2.3:a:mediawiki:mediawiki:1.27.0:*:*:*:*:*:*:*:
- cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE