Candidate: CVE-2020-10960
PublicDate: 2020-04-03 15:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10960
 https://phabricator.wikimedia.org/T246602
 https://lists.wikimedia.org/pipermail/wikitech-l/2020-March/093243.html
Description:
 In MediaWiki before 1.34.1, users can add various Cascading Style Sheets
 (CSS) classes (which can affect what content is shown or hidden in the user
 interface) to arbitrary DOM nodes via HTML content within a MediaWiki page.
 This occurs because jquery.makeCollapsible allows applying an event handler
 to any Cascading Style Sheets (CSS) selector. There is no known way to
 exploit this for cross-site scripting (XSS).
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N [5.3 MEDIUM]


Patches_mediawiki:
upstream_mediawiki: released (1:1.31.7-1)
precise/esm_mediawiki: DNE
trusty_mediawiki: ignored (out of standard support)
trusty/esm_mediawiki: DNE
xenial_mediawiki: DNE
bionic_mediawiki: needs-triage
eoan_mediawiki: ignored (reached end-of-life)
focal_mediawiki: not-affected (1:1.31.7-1)
groovy_mediawiki: not-affected (1:1.31.7-1)
hirsute_mediawiki: not-affected (1:1.31.7-1)
impish_mediawiki: not-affected (1:1.31.7-1)
jammy_mediawiki: not-affected (1:1.31.7-1)
devel_mediawiki: not-affected (1:1.31.7-1)