Lucene search

[email protected]NVD:CVE-2024-25109

HistoryFeb 09, 2024 - 11:15 p.m.

CVE-2024-25109

2024-02-0923:15:10

CWE-79

[email protected]

web.nvd.nist.gov

managewiki

mediawiki

extension

vulnerability

special:managewiki

cross site scripting

attack vector

editinterface

code changes

commits

cve-2024-25109

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

26.5%

JSON

ManageWiki is a MediaWiki extension allowing users to manage wikis. Special:ManageWiki does not escape escape interface messages on the columns and help keys on the form descriptor. An attacker may exploit this and would have a cross site scripting attack vector. Exploiting this on-wiki requires the (editinterface) right. Users should apply the code changes in commits 886cc6b94, 2ef0f50880, and 6942e8b2c to resolve this vulnerability. There are no known workarounds for this vulnerability.

Affected configurations

Nvd

Node

mirahezemanagewikiRange<2024-02-09

VendorProductVersionCPE
mirahezemanagewiki*cpe:2.3:a:miraheze:managewiki:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
miraheze	managewiki	*	cpe:2.3:a:miraheze:managewiki::::::::

References

github.com/miraheze/ManageWiki/commit/2ef0f50880d7695ca2874dc8dd515b2b9bbb02e5

github.com/miraheze/ManageWiki/commit/6942e8b2c01dc33c2c41a471f91ef3f6ca726073

github.com/miraheze/ManageWiki/commit/886cc6b94587f1c7387caa26ca9fe612e01836a0

github.com/miraheze/ManageWiki/security/advisories/GHSA-4jr2-jhfm-2r84

issue-tracker.miraheze.org/T11812