{"api_version":"1","generated_at":"2026-04-23T08:40:06+00:00","cve":"CVE-2022-28202","urls":{"html":"https://cve.report/CVE-2022-28202","api":"https://cve.report/api/cve/CVE-2022-28202.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-28202","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-28202"},"summary":{"title":"CVE-2022-28202","description":"An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries or Special:RevisionDelete.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2022-03-30 06:15:00","updated_at":"2023-11-07 03:45:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://www.debian.org/security/2022/dsa-5246","name":"DSA-5246","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5246-1 mediawiki","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://phabricator.wikimedia.org/T297543","name":"https://phabricator.wikimedia.org/T297543","refsource":"MISC","tags":[],"title":"⚓ T297543 CVE-2022-: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PT4CHJKOQOVMI65TSNZRNV6FIWU7SGZD/","name":"FEDORA-2022-69bc42d6cf","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: mediawiki-1.37.2-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00027.html","name":"[debian-lts-announce] 20220922 [SECURITY] [DLA 3117-1] mediawiki security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3117-1] mediawiki security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202305-24","name":"GLSA-202305-24","refsource":"GENTOO","tags":[],"title":"MediaWiki: Multiple Vulnerabilities (GLSA 202305-24) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PT4CHJKOQOVMI65TSNZRNV6FIWU7SGZD/","name":"FEDORA-2022-69bc42d6cf","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: mediawiki-1.37.2-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-28202","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-28202","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"28202","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"28202","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"36","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"28202","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mediawiki","cpe5":"mediawiki","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-28202","qid":"181071","title":"Debian Security Update for mediawiki (DLA 3117-1)"},{"cve":"CVE-2022-28202","qid":"181110","title":"Debian Security Update for mediawiki (DSA 5246-1)"},{"cve":"CVE-2022-28202","qid":"183688","title":"Debian Security Update for mediawiki (CVE-2022-28202)"},{"cve":"CVE-2022-28202","qid":"282870","title":"Fedora Security Update for mediawiki (FEDORA-2022-69bc42d6cf)"},{"cve":"CVE-2022-28202","qid":"690827","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for mediawiki (79ea6066-b40e-11ec-8b93-080027b24e86)"},{"cve":"CVE-2022-28202","qid":"710731","title":"Gentoo Linux MediaWiki Multiple Vulnerabilities (GLSA 202305-24)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2022-28202","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries or Special:RevisionDelete."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://phabricator.wikimedia.org/T297543","refsource":"MISC","name":"https://phabricator.wikimedia.org/T297543"},{"refsource":"FEDORA","name":"FEDORA-2022-69bc42d6cf","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PT4CHJKOQOVMI65TSNZRNV6FIWU7SGZD/"},{"refsource":"MLIST","name":"[debian-lts-announce] 20220922 [SECURITY] [DLA 3117-1] mediawiki security update","url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00027.html"},{"refsource":"DEBIAN","name":"DSA-5246","url":"https://www.debian.org/security/2022/dsa-5246"},{"refsource":"GENTOO","name":"GLSA-202305-24","url":"https://security.gentoo.org/glsa/202305-24"}]}},"nvd":{"publishedDate":"2022-03-30 06:15:00","lastModifiedDate":"2023-11-07 03:45:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*","versionEndExcluding":"1.35.6","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*","versionStartIncluding":"1.36.0","versionEndExcluding":"1.36.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*","versionStartIncluding":"1.37.0","versionEndExcluding":"1.37.2","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}