Candidate: CVE-2020-25828
PublicDate: 2020-09-27 21:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25828
 https://lists.wikimedia.org/pipermail/wikitech-l/2020-September/093888.html
 https://phabricator.wikimedia.org/T115888
 https://lists.wikimedia.org/pipermail/mediawiki-announce
 https://lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048480.html
 https://lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048488.html
Description:
 An issue was discovered in MediaWiki before 1.31.10 and 1.32.x through
 1.34.x before 1.34.4. The non-jqueryMsg version of mw.message().parse()
 doesn't escape HTML. This affects both message contents (which are
 generally safe) and the parameters (which can be based on user input).
 (When jqueryMsg is loaded, it correctly accepts only whitelisted tags in
 message contents, and escapes all parameters. Situations with an unloaded
 jqueryMsg are rare in practice, but can for example occur for
 Special:SpecialPages on a wiki with no extensions installed.)
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1 MEDIUM]


Patches_mediawiki:
upstream_mediawiki: released (1:1.35.0-1)
precise/esm_mediawiki: DNE
trusty_mediawiki: ignored (out of standard support)
trusty/esm_mediawiki: DNE
xenial_mediawiki: DNE
bionic_mediawiki: needs-triage
focal_mediawiki: needs-triage
groovy_mediawiki: not-affected (1:1.35.0-1)
hirsute_mediawiki: not-affected (1:1.35.0-1)
impish_mediawiki: not-affected (1:1.35.0-1)
jammy_mediawiki: not-affected (1:1.35.0-1)
devel_mediawiki: not-affected (1:1.35.0-1)