Lucene search

K
osvGoogleOSV:BIT-MEDIAWIKI-2023-3550
HistoryMar 06, 2024 - 11:01 a.m.

BIT-mediawiki-2023-3550

2024-03-0611:01:36
Google
osv.dev
7
mediawiki
xml files
remote attacker
administrator exploit

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

46.8%

Mediawiki v1.40.0 does not validate namespaces used in XML files.Therefore, if the instance administrator allows XML file uploads,a remote attacker with a low-privileged user account can use thisexploit to become an administrator by sending a malicious link tothe instance administrator.

CPENameOperatorVersion
mediawikige1.40.0
mediawikile1.40.0

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

46.8%