Login Sign Up

CVE-2024-34507

7.4 HIGH
Cross-Site Scripting

📋 TL;DR

This vulnerability allows cross-site scripting (XSS) attacks in MediaWiki due to improper handling of the escape character (0x1b) in comment parsing. Attackers can inject malicious scripts that execute in users' browsers when viewing affected pages. All MediaWiki instances running vulnerable versions are affected.

💻 Affected Systems

Products:
  • MediaWiki
Versions: MediaWiki before 1.39.7, 1.40.x before 1.40.3, and 1.41.x before 1.41.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the CommentParser.php component when processing user input containing escape characters.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Mediawiki by Mediawiki

View all CVEs affecting Mediawiki →

Mediawiki by Mediawiki

View all CVEs affecting Mediawiki →

Mediawiki by Mediawiki

View all CVEs affecting Mediawiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, deface pages, or redirect users to malicious sites.

🟠

Likely Case

Session hijacking, account compromise, or page defacement through script injection in comments or recent changes.

🟢

If Mitigated

Limited impact with proper content security policies and input validation, though XSS could still occur.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Demonstrated via Special:RecentChanges with crafted URL parameters; simple injection possible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: MediaWiki 1.39.7, 1.40.3, or 1.41.1

Vendor Advisory: https://phabricator.wikimedia.org/T355538

Restart Required: No

Instructions:

1. Backup your MediaWiki installation. 2. Update to the patched version via package manager or manual download. 3. Verify the update applied correctly.

🔧 Temporary Workarounds

Input Sanitization

all

Filter or escape the 0x1b character in user input before processing.

Content Security Policy

all

Implement strict CSP headers to mitigate XSS impact.

🧯 If You Can't Patch

  • Disable or restrict comment functionality if not essential.
  • Implement web application firewall rules to block requests containing malicious escape sequences.

🔍 How to Verify

Check if Vulnerable:

Check MediaWiki version via Special:Version page or LocalSettings.php.

Check Version:

grep 'wgVersion' LocalSettings.php

Verify Fix Applied:

Confirm version is 1.39.7, 1.40.3, 1.41.1 or later.

📡 Detection & Monitoring

Log Indicators:

  • Unusual requests to Special:RecentChanges with escape characters
  • XSS payloads in comment logs

Network Indicators:

  • HTTP requests containing %1b or similar escape sequences

SIEM Query:

source="*mediawiki*" AND (uri="*%1b*" OR user_agent="*<script>*")

📊 Metadata

CVE ID: CVE-2024-34507
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
CWE: CWE-80
Published: May 5, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34507, you might also want to check these:

CVE-2023-39216 9.6

An improper input validation vulnerability in Zoom Desktop Client for Windows allows unauthenticated...

Same vulnerability type (CWE-80)
CVE-2024-52300 9.0

CVE-2024-52300 is a cross-site scripting (XSS) vulnerability in the macro-pdfviewer component for XW...

Same vulnerability type (CWE-80)
CVE-2024-41947 9.0

This XWiki vulnerability allows attackers to inject and execute JavaScript code in the context of hi...

Same vulnerability type (CWE-80)