CVE-2023-45359 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2023-45359

CVE-2023-45359

Published:October 09, 2024

Updated:May 17, 2026

An issue was discovered in the Vector Skin component for MediaWiki before 1.39.5 and 1.40.x before 1.40.1. vector-toc-toggle-button-label is not escaped, but should be, because the line param can have markup.

Affected Packages

mediawiki/vector-skin (PHP):

Affected version(s) =dev-wmf/1.40.0-wmf.19 <dev-wmf/1.40.0-wmf.2

Fix Suggestion:

Update to version dev-wmf/1.40.0-wmf.2

mediawiki/vector-skin (PHP):

Affected version(s) =dev-REL1_40 <dev-wmf/1.40.0-wmf.1

Fix Suggestion:

Update to version dev-wmf/1.40.0-wmf.1

mediawiki/vector-skin (PHP):

Affected version(s) =dev-wmf/branch_cut_pretest <dev-wmf/next

Fix Suggestion:

Update to version dev-wmf/next

mediawiki/vector-skin (PHP):

Affected version(s) =dev-wmf/1.41.0-wmf.2 <dev-wmf/1.41.0-wmf.20

Fix Suggestion:

Update to version dev-wmf/1.41.0-wmf.20

mediawiki/vector-skin (PHP):

Affected version(s) >=dev-wmf/1.41.0-wmf.4 <dev-REL1_42

Fix Suggestion:

Update to version dev-REL1_42

mediawiki/vector-skin (PHP):

Affected version(s) >=dev-wmf/1.40.0-wmf.20 <dev-wmf/1.40.0-wmf.3

Fix Suggestion:

Update to version dev-wmf/1.40.0-wmf.3

mediawiki/vector-skin (PHP):

Affected version(s) =dev-wmf/1.41.0-wmf.3 <dev-wmf/1.41.0-wmf.30

Fix Suggestion:

Update to version dev-wmf/1.41.0-wmf.30

mediawiki/vector-skin (PHP):

Affected version(s) >=dev-wmf/1.41.0-wmf.1 <dev-wmf/1.41.0-wmf.17

Fix Suggestion:

Update to version dev-wmf/1.41.0-wmf.17

Related Resources (2)

https://phabricator.wikimedia.org/T340217

https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/skins/Vector/+/c17b956e0750e051ac7c1098e3ff625f0db82b2c

Do you need more information?

CVSS v4

Base Score:

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Weakness Type (CWE)

Improper Encoding or Escaping of Output

CWE-116

EPSS

Base Score:

0.22