CVE-2021-42042

low-risk

Published 2021-10-06

An issue was discovered in SpecialEditGrowthConfig in the GrowthExperiments extension in MediaWiki through 1.36.2. The growthexperiments-edit-config-error-invalid-title MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript.

Do I need to act?

0.40% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.8/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Mediawiki

Affected Vendors

Mediawiki

References (4)

Patch https://gerrit.wikimedia.org/r/q/Ibeb13d032ca044af53f6b2334e27b6b97b6f4e9f

Issue Tracking https://phabricator.wikimedia.org/T290692

Patch https://gerrit.wikimedia.org/r/q/Ibeb13d032ca044af53f6b2334e27b6b97b6f4e9f

Issue Tracking https://phabricator.wikimedia.org/T290692

/ 100

low-risk

Severity 19/34 · Moderate

Exploitability 2/34 · Minimal

Exposure 5/34 · Minimal