CVE-2024-23173: 
PHP vulnerability analysis and mitigation

An issue was discovered in the Cargo extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The vulnerability affects the Special:Drilldown page functionality, where Cross-Site Scripting (XSS) is possible through artist, album, and position parameters due to improper handling of applied filter values in drilldown/CargoAppliedFilter.php (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability can be exploited remotely without requiring privileges, though user interaction is needed. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting) (NVD).

The vulnerability allows attackers to perform Cross-Site Scripting (XSS) attacks through the Special:Drilldown page parameters. This could potentially lead to unauthorized access to sensitive information and manipulation of web content presented to users (NVD).

Users should upgrade to MediaWiki versions 1.35.14, 1.39.6, or 1.40.2 or later, depending on their current version track. These versions contain the necessary security fixes to address the vulnerability (NVD).