{"id":"CVE-2016-6333","details":"Cross-site scripting (XSS) vulnerability in the CSS user subpage preview feature in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via the edit box in Special:MyPage/common.css.","modified":"2026-04-16T06:25:23.409618904Z","published":"2017-04-20T17:59:00.633Z","references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/98053"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1369613"},{"type":"FIX","url":"https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-August/000195.html"},{"type":"FIX","url":"https://phabricator.wikimedia.org/T133147"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wikimedia/mediawiki","events":[{"introduced":"0"},{"last_affected":"1b1588f892b81983d5cd93bea6f5b5d652b2cdf5"},{"introduced":"0"},{"last_affected":"365e22ee61035f953b47387af92ef832f09d5982"},{"introduced":"0"},{"last_affected":"905d088b12375958099346a922d4f0ccc1db12ca"},{"introduced":"0"},{"last_affected":"f465524fc4840fb5c8b97e9ee6ffaf2a30c2e644"},{"introduced":"0"},{"last_affected":"fa11b598b4e396f606c2ffe8a4929c24e0f8cf46"},{"introduced":"0"},{"last_affected":"2e3e7395f1f290fff646510233bf6386fcf01a5d"},{"introduced":"0"},{"last_affected":"758cd9d2371d529450448cdf7eb2f1f6e099cfee"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.23.14"},{"introduced":"0"},{"last_affected":"1.26.0"},{"introduced":"0"},{"last_affected":"1.26.1"},{"introduced":"0"},{"last_affected":"1.26.2"},{"introduced":"0"},{"last_affected":"1.26.3"},{"introduced":"0"},{"last_affected":"1.26.4"},{"introduced":"0"},{"last_affected":"1.27.0"}]}}],"versions":["1.1.0","1.23.0","1.23.0-rc.1","1.23.0-rc.2","1.23.0-rc.3","1.23.0rc0","1.23.1","1.23.10","1.23.11","1.23.12","1.23.13","1.23.14","1.23.2","1.23.3","1.23.4","1.23.5","1.23.6","1.23.7","1.23.8","1.23.9","1.26.0","1.26.1","1.26.2","1.26.3","1.26.4","1.27.0","1.27.0-rc.0","1.27.0-rc.1","1.3.0beta1","1.5.0alpha1","1.5.0alpha2","1.5.0beta1","1.5.0beta2","1.5.0beta3","1.5.0beta4","1.6.0","REL1_26"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-6333.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}