CVE-2020-35475 log

Source
Severity Medium
Remote Yes
Type Cross-site scripting
Description
In MediaWiki before 1.35.1, the messages userrights-expiry-current and userrights-expiry-none can contain raw HTML. XSS can happen when a user visits Special:UserRights but does not have rights to change all userrights, and the table on the left side has unchangeable groups in it. (The right column with the changeable groups is not affected and is escaped correctly.)
Group Package Affected Fixed Severity Status Ticket
AVG-1371 mediawiki 1.35.0-1 1.35.1-1 Medium Fixed FS#69132
Date Advisory Group Package Severity Type
12 Jan 2021 ASA-202101-22 AVG-1371 mediawiki Medium multiple issues
References
https://phabricator.wikimedia.org/T268917
https://github.com/wikimedia/mediawiki/commit/1f9756a4905cf61dbb3a3d742a0e2296d555c6fe