Lucene search

K
nvd[email protected]NVD:CVE-2023-3550
HistorySep 25, 2023 - 4:15 p.m.

CVE-2023-3550

2023-09-2516:15:14
CWE-79
web.nvd.nist.gov
xml file upload
vulnerability
mediawiki

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

46.8%

Mediawiki v1.40.0 does not validate namespaces used in XML files.

Therefore, if the instance administrator allows XML file uploads,

a remote attacker with a low-privileged user account can use this

exploit to become an administrator by sending a malicious link to

the instance administrator.

Affected configurations

NVD
Node
mediawikimediawikiMatch1.40.0-
Node
debiandebian_linuxMatch10.0
OR
debiandebian_linuxMatch11.0

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

46.8%