Lucene search

K
redosRedosROS-20240505-13
HistoryApr 05, 2024 - 12:00 a.m.

ROS-20240505-13

2024-04-0500:00:00
redos.red-soft.ru
149
mediawiki
vulnerability
remote attacker
confidentiality
integrity
availability
xss
hidden user names
unauthorized access
denial of service

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.7%

A vulnerability in the Wikibase extension of the MediaWiki hypertext environment implementation software tool
is related to the lack of restrictions on the speed of merging elements no. Exploitation of the vulnerability could
allow an attacker acting remotely to affect the integrity and availability of protected
information

Vulnerability in the SportsTeams extension of the MediaWiki hypertext environment implementation software tool
is related to failure to validate the anti-CSRF edit token in Special:SportsTeamsManager and
Special:UpdateFavoriteTeams. Exploitation of the vulnerability could allow an attacker acting remotely,
compromise the confidentiality, integrity and availability of protected information

Vulnerability in the file includes/page/Article.php of the software tool for implementing hypertext environment
MediaWiki is related to incorrect assignment of permissions for a critical resource when checking the request for
certificate signature request. Exploitation of the vulnerability could allow an attacker acting remotely to gain
Unauthorized access to protected information

Vulnerability in the DifferenceEngine.php file of a software tool for implementing a hypertext environment
MediaWiki is related to user name ignoring. Exploitation of the vulnerability could allow
an attacker acting remotely to gain access to confidential information

Vulnerability in the ProofreadPage extension of the hypertext environment implementation software tool
MediaWiki is related to the possibility XSS could occur via formatNumNoSeparators. Exploitation of the
of the vulnerability could allow an attacker acting remotely to compromise confidentiality, carry out
cross-site scripting attacks

Vulnerability in the PageTriage extension of the MediaWiki hypertext environment implementation tool
is related to the disclosure of hidden user names. Exploitation of the vulnerability could allow an attacker,
acting remotely, unauthorized access to protected information

Vulnerability in the Wikibase extension of the MediaWiki hypertext environment implementation software tool
is related to failure to run edit filters. Exploitation of the vulnerability could allow an intruder,
acting remotely, compromise confidentiality, impact data integrity

Vulnerability in the MediaWiki hypertext environment implementation software is related to incorrect input neutralization during web creation.
input neutralization during web page creation. Exploitation of the vulnerability could allow an attacker,
acting remotely, to perform cross-site scripting attacks

Vulnerability in the ApiPageSet.php file of the MediaWiki hypertext environment implementation software tool
is associated with an unbounded loop and RequestTimeoutException when a request for it is
redirected to other variants with redirects set and headers converted.
Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service

Vulnerability in the SportsTeams extension of the MediaWiki hypertext implementation software tool
is related to a lack of permission checking. Exploitation of the vulnerability could allow an attacker,
remotely compromise the confidentiality, integrity, and availability of protected information.

Vulnerability in CheckUser extension of the MediaWiki hypertext environment implementation software is related to the use of rest.php URL.
is related to the use of the URL rest.php/checkuser/v0/useragent-clienthints/revision/ to store an
an arbitrary number of strings in cu_useragent_clienthints. Exploitation of the vulnerability could allow
an attacker acting remotely to cause a denial of service

OSVersionArchitecturePackageVersionFilename
redos7.3x86_64mediawiki<= 1.40.2-1UNKNOWN

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.7%