CVE-2020-35475 : What You Need to Know

In MediaWiki before 1.35.1, a vulnerability exists that could lead to XSS when a user visits Special:UserRights. This CVE-2020-35475 impacts the handling of certain messages within the application.

Understanding CVE-2020-35475

This CVE affects MediaWiki instances running versions prior to 1.35.1, potentially exposing users to cross-site scripting (XSS) attacks.

What is CVE-2020-35475?

In MediaWiki before version 1.35.1, specific messages within the application can contain raw HTML. This vulnerability can be exploited when a user accesses Special:UserRights without full rights to modify all user rights, particularly when unchangeable groups are present in the left-side table.

The Impact of CVE-2020-35475

The vulnerability allows for XSS attacks when users interact with the affected messages in MediaWiki, potentially leading to unauthorized access or data manipulation.

Technical Details of CVE-2020-35475

MediaWiki's vulnerability in handling user rights messages exposes users to potential XSS attacks.

Vulnerability Description

The messages userrights-expiry-current and userrights-expiry-none in MediaWiki before 1.35.1 can contain raw HTML, enabling XSS attacks during user interactions with Special:UserRights.

Affected Systems and Versions

MediaWiki versions before 1.35.1

Exploitation Mechanism

Users without full user rights accessing Special:UserRights
Presence of unchangeable groups in the left-side table

Mitigation and Prevention

To address CVE-2020-35475, immediate actions and long-term security practices are recommended.

Immediate Steps to Take

Upgrade MediaWiki to version 1.35.1 or later
Monitor user rights changes and access to Special:UserRights

Long-Term Security Practices

Regularly update MediaWiki and apply security patches
Educate users on safe browsing practices and XSS awareness

Patching and Updates

Apply the latest security patches and updates provided by MediaWiki