CVE-2022-21710 - OpenCVE

ShortDescription is a MediaWiki extension that provides local short description support. A cross-site scripting (XSS) vulnerability exists in versions prior to 2.3.4. On a wiki that has the ShortDescription enabled, XSS can be triggered on any page or the page with the action=info parameter, which displays the shortdesc property. This is achieved using the wikitext `{{SHORTDESC:<img src=x onerror=alert()>}}`. This issue has a patch in version 2.3.4.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mediawiki	Shortdescription

Configuration 1 [-]

cpe:2.3:a:mediawiki:shortdescription:*:*:*:*:*:mediawiki:*:*

No data.

References

Link	Providers
https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/commit/7c86644158388620c6c858258cc4e1a8de6e48ea
https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/commit/bf568edd892adb8528dcb64f75dddf3eeaccc12c
https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/security/advisories/GHSA-mgcp-qw2r-6832

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-01-24T19:45:10

Updated: 2024-08-03T02:53:35.497Z

Reserved: 2021-11-16T00:00:00

Link: CVE-2022-21710

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-01-24T20:15:08.600

Modified: 2022-01-28T18:56:22.597

Link: CVE-2022-21710

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "mediawiki-extensions-ShortDescription", "vendor": "StarCitizenTools", "versions": [{"status": "affected", "version": "< 2.3.4"}]}], "descriptions": [{"lang": "en", "value": "ShortDescription is a MediaWiki extension that provides local short description support. A cross-site scripting (XSS) vulnerability exists in versions prior to 2.3.4. On a wiki that has the ShortDescription enabled, XSS can be triggered on any page or the page with the action=info parameter, which displays the shortdesc property. This is achieved using the wikitext `{{SHORTDESC:<img src=x onerror=alert()>}}`. This issue has a patch in version 2.3.4."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-01-24T19:45:10", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/security/advisories/GHSA-mgcp-qw2r-6832"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/commit/7c86644158388620c6c858258cc4e1a8de6e48ea"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/commit/bf568edd892adb8528dcb64f75dddf3eeaccc12c"}], "source": {"advisory": "GHSA-mgcp-qw2r-6832", "discovery": "UNKNOWN"}, "title": "Cross-site Scripting in ShortDescription extension", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-21710", "STATE": "PUBLIC", "TITLE": "Cross-site Scripting in ShortDescription extension"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "mediawiki-extensions-ShortDescription", "version": {"version_data": [{"version_value": "< 2.3.4"}]}}]}, "vendor_name": "StarCitizenTools"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "ShortDescription is a MediaWiki extension that provides local short description support. A cross-site scripting (XSS) vulnerability exists in versions prior to 2.3.4. On a wiki that has the ShortDescription enabled, XSS can be triggered on any page or the page with the action=info parameter, which displays the shortdesc property. This is achieved using the wikitext `{{SHORTDESC:<img src=x onerror=alert()>}}`. This issue has a patch in version 2.3.4."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/security/advisories/GHSA-mgcp-qw2r-6832", "refsource": "CONFIRM", "url": "https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/security/advisories/GHSA-mgcp-qw2r-6832"}, {"name": "https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/commit/7c86644158388620c6c858258cc4e1a8de6e48ea", "refsource": "MISC", "url": "https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/commit/7c86644158388620c6c858258cc4e1a8de6e48ea"}, {"name": "https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/commit/bf568edd892adb8528dcb64f75dddf3eeaccc12c", "refsource": "MISC", "url": "https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/commit/bf568edd892adb8528dcb64f75dddf3eeaccc12c"}]}, "source": {"advisory": "GHSA-mgcp-qw2r-6832", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T02:53:35.497Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/security/advisories/GHSA-mgcp-qw2r-6832"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/commit/7c86644158388620c6c858258cc4e1a8de6e48ea"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/commit/bf568edd892adb8528dcb64f75dddf3eeaccc12c"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-21710", "datePublished": "2022-01-24T19:45:10", "dateReserved": "2021-11-16T00:00:00", "dateUpdated": "2024-08-03T02:53:35.497Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mediawiki:shortdescription:*:*:*:*:*:mediawiki:*:*", "matchCriteriaId": "161BDB24-4950-4933-AEB4-E6B208EA1521", "versionEndExcluding": "2.3.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ShortDescription is a MediaWiki extension that provides local short description support. A cross-site scripting (XSS) vulnerability exists in versions prior to 2.3.4. On a wiki that has the ShortDescription enabled, XSS can be triggered on any page or the page with the action=info parameter, which displays the shortdesc property. This is achieved using the wikitext `{{SHORTDESC:<img src=x onerror=alert()>}}`. This issue has a patch in version 2.3.4."}, {"lang": "es", "value": "ShortDescription es una extensi\u00f3n de MediaWiki que proporciona soporte local para descripciones cortas. Se presenta una vulnerabilidad de tipo cross-site scripting (XSS) en versiones anteriores a 2.3.4. En un wiki que tenga la ShortDescription habilitada, un ataque de tipo XSS puede ser desencadenado en cualquier p\u00e1gina o en la p\u00e1gina con el par\u00e1metro action=info, que muestra la propiedad shortdesc. Esto es conseguido usando el wikitext \"{SHORTDESC:<img src=x onerror=alert()>}}\". Este problema presenta un parche en la versi\u00f3n 2.3.4"}], "id": "CVE-2022-21710", "lastModified": "2022-01-28T18:56:22.597", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-01-24T20:15:08.600", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/commit/7c86644158388620c6c858258cc4e1a8de6e48ea"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/commit/bf568edd892adb8528dcb64f75dddf3eeaccc12c"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/security/advisories/GHSA-mgcp-qw2r-6832"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}