An issue was discovered in the UnlinkedWikibase extension in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. XSS can occur through an interface message. Error messages (in the $err var) are not escaped before being passed to Html::rawElement() in the getError() function in the Hooks class.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| samwilson/unlinked-wikibase(Packagist) | 0 | 1.42.0 | N/A |
CVSS Metrics
