CVE-2021-42044

low-risk

Published 2021-10-06

An issue was discovered in the Mentor dashboard in the GrowthExperiments extension in MediaWiki through 1.36.2. The Growthexperiments-mentor-dashboard-mentee-overview-add-filter-total-edits-headline, growthexperiments-mentor-dashboard-mentee-overview-add-filter-starred-headline, growthexperiments-mentor-dashboard-mentee-overview-info-text, growthexperiments-mentor-dashboard-mentee-overview-info-legend-headline, and growthexperiments-mentor-dashboard-mentee-overview-active-ago MediaWiki messages were not being properly sanitized and allowed for the injection and execution of HTML and JavaScript.

Do I need to act?

0.38% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.8/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Mediawiki

Affected Vendors

Mediawiki

References (4)

Patch https://gerrit.wikimedia.org/r/q/I858d55fb2eca9b50ac6ef5a6f2a7b2784f0fa0d6

Exploit https://phabricator.wikimedia.org/T289408

Patch https://gerrit.wikimedia.org/r/q/I858d55fb2eca9b50ac6ef5a6f2a7b2784f0fa0d6

Exploit https://phabricator.wikimedia.org/T289408

/ 100

low-risk

Severity 19/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal