An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34.4. LogEventList::getFiltersDesc is insecurely using message text to build options names for an HTML multi-select field. The relevant code should use escaped() instead of text().
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25815
Reference (s):
- https://lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048480.html
- FEDORA:FEDORA-2020-a4802c53d9
- URL: https://lists.fedoraproject.org/archives/list/[email protected]/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU6/
- https://gerrit.wikimedia.org/g/mediawiki/core/+/ec76e14be658187544f07c1a249a047e1a75eaf8/includes/logging/LogEventsList.php#214
- https://lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048488.html