CVE-2020-35475 - log back

CVE-2020-35475 edited at 18 Dec 2020 13:42:07
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Cross-site scripting
Description
+ In MediaWiki before 1.35.1, the messages userrights-expiry-current and userrights-expiry-none can contain raw HTML. XSS can happen when a user visits Special:UserRights but does not have rights to change all userrights, and the table on the left side has unchangeable groups in it. (The right column with the changeable groups is not affected and is escaped correctly.)
References
+ https://phabricator.wikimedia.org/T268917
+ https://github.com/wikimedia/mediawiki/commit/1f9756a4905cf61dbb3a3d742a0e2296d555c6fe
Notes
CVE-2020-35475 created at 18 Dec 2020 13:31:11