CVE-2022-28202
MEDIUM6.1EPSS 1.1%Published: 3/30/2022Modified: 4/28/2026
Description
An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries or Special:RevisionDelete.
Affected packages (2)
- Bitnami/mediawikifrom 0, < 1.35.6, >= 1.36.0, < 1.36.4, >= 1.37.0, < 1.37.2
- Debian/mediawikifrom 0, < 1:1.35.8-1~deb11u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References (7)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-28202
- WEBhttps://lists.debian.org/debian-lts-announce/2022/09/msg00027.html
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PT4CHJKOQOVMI65TSNZRNV6FIWU7SGZD/
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2022-28202
- WEBhttps://phabricator.wikimedia.org/T297543
- WEBhttps://security.gentoo.org/glsa/202305-24
- WEBhttps://www.debian.org/security/2022/dsa-5246