Vulnerability CVE-2022-34491


Published: 2022-06-25   Modified: 2022-06-26

Description:
In the RSS extension for MediaWiki through 1.38.1, when the $wgRSSAllowLinkTag config variable was set to true, and a new RSS feed was created with certain XSS payloads within its description tags and added to the $wgRSSUrlWhitelist config variable, stored XSS could occur via MediaWiki's template system whenever that feed was loaded via the rss document tag.

 References:
https://phabricator.wikimedia.org/T307028
https://gerrit.wikimedia.org/r/q/I2f7827103bdee0ea766b1f5e7040e2a022fcd2f3

Copyright 2022, cxsecurity.com

 

Back to Top