Lucene search

GitHub_MCVELIST:CVE-2024-29883

HistoryMar 26, 2024 - 1:37 p.m.

CVE-2024-29883 CreateWiki's wiki request suppression ignores the suppression settings set by the suppressor

2024-03-2613:37:48

CWE-200

GitHub_M

www.cve.org

cve-2024-29883

createwiki

miraheze

mediawiki

extension

request suppression

visibility

user rights

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

AI Score

5.3

Confidence

High

EPSS

Percentile

15.5%

JSON

CreateWiki is Miraheze’s MediaWiki extension for requesting & creating wikis. Suppression of wiki requests does not work as intended, and always restricts visibility to those with the (createwiki) user right regardless of the settings one sets on a given wiki request. This may expose information to users who are not supposed to be able to access it.

CNA Affected

[
  {
    "vendor": "miraheze",
    "product": "CreateWiki",
    "versions": [
      {
        "version": "< 0c7c4f93834349be8f5c2a678e9a85b4b1aa7bab",
        "status": "affected"
      }
    ]
  }
]

References

gist.githubusercontent.com/redbluegreenhat/0da1ebb7185b241ce1ac6ba1e8f0b98d/raw/44c4a229aacc8233808c767a79af9e4fd581ae68/T11993.patch

github.com/miraheze/CreateWiki/security/advisories/GHSA-8wjf-mxjg-j8p9

issue-tracker.miraheze.org/T11993

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

AI Score

5.3

Confidence

High

EPSS

Percentile

15.5%

JSON

Related for CVELIST:CVE-2024-29883