Lucene search

K
vulnrichmentGitHub_MVULNRICHMENT:CVE-2024-36123
HistoryJun 03, 2024 - 2:17 p.m.

CVE-2024-36123 Citizen has a Stored Cross-Site Scripting Vulnerability by editing MediaWiki:Tagline

2024-06-0314:17:08
CWE-79
GitHub_M
github.com
2
citizen
mediawiki
cross-site scripting
stored
vulnerability
tagline
html
javascript
injection
editinterface
sysops
fixed
2.16.0

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

AI Score

6.5

Confidence

High

EPSS

0

Percentile

15.5%

SSVC

Exploitation

poc

Automatable

no

Technical Impact

total

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. The page MediaWiki:Tagline has its contents used unescaped, so custom HTML (including Javascript) can be injected by someone with the ability to edit the MediaWiki namespace (typically those with the editinterface permission, or sysops). This vulnerability is fixed in 2.16.0.

CNA Affected

[
  {
    "vendor": "StarCitizenTools",
    "product": "mediawiki-skins-Citizen",
    "versions": [
      {
        "version": "< 2.16.0",
        "status": "affected"
      }
    ]
  }
]

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

AI Score

6.5

Confidence

High

EPSS

0

Percentile

15.5%

SSVC

Exploitation

poc

Automatable

no

Technical Impact

total

Related for VULNRICHMENT:CVE-2024-36123