{"id":"CVE-2016-6333","details":"Cross-site scripting (XSS) vulnerability in the CSS user subpage preview feature in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via the edit box in Special:MyPage/common.css.","modified":"2026-07-08T22:48:51.255698Z","published":"2017-04-20T17:59:00.633Z","references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/98053"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1369613"},{"type":"FIX","url":"https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-August/000195.html"},{"type":"FIX","url":"https://phabricator.wikimedia.org/T133147"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wikimedia/mediawiki","events":[{"introduced":"0"},{"last_affected":"1b1588f892b81983d5cd93bea6f5b5d652b2cdf5"},{"introduced":"365e22ee61035f953b47387af92ef832f09d5982"},{"last_affected":"758cd9d2371d529450448cdf7eb2f1f6e099cfee"}],"database_specific":{"source":["CPE_RANGE","CPE_STRING"],"cpe":["cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*","cpe:2.3:a:mediawiki:mediawiki:1.26.0:*:*:*:*:*:*:*","cpe:2.3:a:mediawiki:mediawiki:1.26.1:*:*:*:*:*:*:*","cpe:2.3:a:mediawiki:mediawiki:1.26.2:*:*:*:*:*:*:*","cpe:2.3:a:mediawiki:mediawiki:1.26.3:*:*:*:*:*:*:*","cpe:2.3:a:mediawiki:mediawiki:1.26.4:*:*:*:*:*:*:*","cpe:2.3:a:mediawiki:mediawiki:1.27.0:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"0"},{"last_affected":"1.23.14"},{"introduced":"1.26.0"},{"last_affected":"1.26.0"},{"introduced":"1.26.1"},{"last_affected":"1.26.1"},{"introduced":"1.26.2"},{"last_affected":"1.26.2"},{"introduced":"1.26.3"},{"last_affected":"1.26.3"},{"introduced":"1.26.4"},{"last_affected":"1.26.4"},{"introduced":"1.27.0"},{"last_affected":"1.27.0"}]}}],"versions":["1.26.0","1.26.1","1.26.2","1.26.3","1.26.4","1.27.0","1.23.14","1.27.0-rc.1","1.27.0-rc.0","1.23.13","1.23.12","1.23.11","1.23.10","1.23.9","1.23.8","1.23.7","test-hashar-for-ci","1.23.6","1.23.5","1.23.4","1.23.3","1.23.2","1.23.1","1.23.0","1.23.0-rc.3","1.23.0-rc.2","1.23.0-rc.1","1.23.0rc0","1.6.0","1.5.0beta4","1.5.0beta3","1.5.0beta2","1.5.0beta1","1.5.0alpha2","1.5.0alpha1","1.3.0beta1","1.1.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-6333.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}