Search criteria
14 vulnerabilities found for CreateWiki by miraheze
FKIE_CVE-2024-47781
Vulnerability from fkie_nvd - Published: 2024-10-07 22:15 - Updated: 2024-11-14 18:19
Severity ?
Summary
CreateWiki is an extension used at Miraheze for requesting & creating wikis. The name of requested wikis is not escaped on Special:RequestWikiQueue, so a user can insert arbitrary HTML that is displayed in the request wiki queue when requesting a wiki. If a wiki creator comes across the XSS payload, their user session can be abused to retrieve deleted wiki requests, which typically contains private information. Likewise, this can also be abused on those with the ability to suppress requests to view sensitive information. This issue has been patched with commit `693a220` and all users are advised to apply the patch. Users unable to upgrade should disable Javascript and/or prevent access to the vulnerable page (Special:RequestWikiQueue).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| miraheze | createwiki | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:miraheze:createwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D2DC7334-6C55-43B3-9036-9F6523C76846",
"versionEndExcluding": "2024-10-07",
"versionStartIncluding": "2018-11-07",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "CreateWiki is an extension used at Miraheze for requesting \u0026 creating wikis. The name of requested wikis is not escaped on Special:RequestWikiQueue, so a user can insert arbitrary HTML that is displayed in the request wiki queue when requesting a wiki. If a wiki creator comes across the XSS payload, their user session can be abused to retrieve deleted wiki requests, which typically contains private information. Likewise, this can also be abused on those with the ability to suppress requests to view sensitive information. This issue has been patched with commit `693a220` and all users are advised to apply the patch. Users unable to upgrade should disable Javascript and/or prevent access to the vulnerable page (Special:RequestWikiQueue)."
},
{
"lang": "es",
"value": "CreateWiki es una extensi\u00f3n que se utiliza en Miraheze para solicitar y crear wikis. El nombre de los wikis solicitados no se escapa en Special:RequestWikiQueue, por lo que un usuario puede insertar HTML arbitrario que se muestra en la cola de solicitudes de wikis cuando solicita una wiki. Si un creador de wiki se encuentra con el payload XSS, su sesi\u00f3n de usuario puede ser utilizada de forma abusiva para recuperar solicitudes de wiki eliminadas, que normalmente contienen informaci\u00f3n privada. Del mismo modo, esto tambi\u00e9n puede ser utilizado de forma abusiva por aquellos que tienen la capacidad de suprimir solicitudes para ver informaci\u00f3n confidencial. Este problema se ha corregido con el commit `693a220` y se recomienda a todos los usuarios que apliquen el parche. Los usuarios que no puedan actualizar deben desactivar Javascript y/o evitar el acceso a la p\u00e1gina vulnerable (Special:RequestWikiQueue)."
}
],
"id": "CVE-2024-47781",
"lastModified": "2024-11-14T18:19:28.180",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-10-07T22:15:03.133",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/miraheze/CreateWiki/commit/693a220f399ee7eb4d00e77c3c667e864b1bd306"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-h527-jh77-5g7j"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking",
"Product"
],
"url": "https://issue-tracker.miraheze.org/T12693"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-24813
Vulnerability from fkie_nvd - Published: 2022-04-04 18:15 - Updated: 2024-11-21 06:51
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. Without the patch for this issue, anonymous comments can be made using Special:RequestWikiQueue when sent directly via POST. A patch for this issue is available in the `master` branch of CreateWiki's GitHub repository.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/miraheze/CreateWiki/commit/d0ae79843d689832ccac765d6b1721e668d99ab9 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/miraheze/CreateWiki/security/advisories/GHSA-9xvw-w66v-prvg | Patch, Third Party Advisory | |
| security-advisories@github.com | https://phabricator.miraheze.org/T9018 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/miraheze/CreateWiki/commit/d0ae79843d689832ccac765d6b1721e668d99ab9 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/miraheze/CreateWiki/security/advisories/GHSA-9xvw-w66v-prvg | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://phabricator.miraheze.org/T9018 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| miraheze | createwiki | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:miraheze:createwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BEBF463E-6819-4859-872C-3C8A861AA2AD",
"versionEndExcluding": "2022-04-02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "CreateWiki is Miraheze\u0027s MediaWiki extension for requesting \u0026 creating wikis. Without the patch for this issue, anonymous comments can be made using Special:RequestWikiQueue when sent directly via POST. A patch for this issue is available in the `master` branch of CreateWiki\u0027s GitHub repository."
},
{
"lang": "es",
"value": "CreateWiki es la extensi\u00f3n MediaWiki de Miraheze para solicitar y crear wikis. Sin el parche para este problema, pueden hacerse comentarios an\u00f3nimos usando Special:RequestWikiQueue cuando son enviados directamente por medio de POST. Un parche para este problema est\u00e1 disponible en la rama \"master\" del repositorio GitHub de CreateWiki"
}
],
"id": "CVE-2022-24813",
"lastModified": "2024-11-21T06:51:09.340",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-04T18:15:07.993",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/miraheze/CreateWiki/commit/d0ae79843d689832ccac765d6b1721e668d99ab9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-9xvw-w66v-prvg"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://phabricator.miraheze.org/T9018"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/miraheze/CreateWiki/commit/d0ae79843d689832ccac765d6b1721e668d99ab9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-9xvw-w66v-prvg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://phabricator.miraheze.org/T9018"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
},
{
"lang": "en",
"value": "CWE-288"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-47781 (GCVE-0-2024-47781)
Vulnerability from cvelistv5 – Published: 2024-10-07 21:30 – Updated: 2024-10-08 14:13
VLAI?
Title
Cross-site Scripting (XSS) in Special:RequestWikiQueue when displaying sitename in CreateWiki
Summary
CreateWiki is an extension used at Miraheze for requesting & creating wikis. The name of requested wikis is not escaped on Special:RequestWikiQueue, so a user can insert arbitrary HTML that is displayed in the request wiki queue when requesting a wiki. If a wiki creator comes across the XSS payload, their user session can be abused to retrieve deleted wiki requests, which typically contains private information. Likewise, this can also be abused on those with the ability to suppress requests to view sensitive information. This issue has been patched with commit `693a220` and all users are advised to apply the patch. Users unable to upgrade should disable Javascript and/or prevent access to the vulnerable page (Special:RequestWikiQueue).
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miraheze | CreateWiki |
Affected:
commits before 693a220f399ee7eb4d00e77c3c667e864b1bd306
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47781",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T14:13:12.961123Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T14:13:28.705Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CreateWiki",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "commits before 693a220f399ee7eb4d00e77c3c667e864b1bd306"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CreateWiki is an extension used at Miraheze for requesting \u0026 creating wikis. The name of requested wikis is not escaped on Special:RequestWikiQueue, so a user can insert arbitrary HTML that is displayed in the request wiki queue when requesting a wiki. If a wiki creator comes across the XSS payload, their user session can be abused to retrieve deleted wiki requests, which typically contains private information. Likewise, this can also be abused on those with the ability to suppress requests to view sensitive information. This issue has been patched with commit `693a220` and all users are advised to apply the patch. Users unable to upgrade should disable Javascript and/or prevent access to the vulnerable page (Special:RequestWikiQueue)."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T21:30:23.058Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-h527-jh77-5g7j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-h527-jh77-5g7j"
},
{
"name": "https://github.com/miraheze/CreateWiki/commit/693a220f399ee7eb4d00e77c3c667e864b1bd306",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/CreateWiki/commit/693a220f399ee7eb4d00e77c3c667e864b1bd306"
},
{
"name": "https://issue-tracker.miraheze.org/T12693",
"tags": [
"x_refsource_MISC"
],
"url": "https://issue-tracker.miraheze.org/T12693"
}
],
"source": {
"advisory": "GHSA-h527-jh77-5g7j",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting (XSS) in Special:RequestWikiQueue when displaying sitename in CreateWiki"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47781",
"datePublished": "2024-10-07T21:30:23.058Z",
"dateReserved": "2024-09-30T21:28:53.236Z",
"dateUpdated": "2024-10-08T14:13:28.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34701 (GCVE-0-2024-34701)
Vulnerability from cvelistv5 – Published: 2024-05-13 15:54 – Updated: 2024-08-02 02:59
VLAI?
Title
CreateWiki vulnerable to impersonation of wiki requester
Summary
CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. It is possible for users to be considered as the requester of a specific wiki request if their local user ID on any wiki in a wiki farm matches the local ID of the requester at the wiki where the wiki request was made. This allows them to go to that request entry's on Special:RequestWikiQueue on the wiki where their local user ID matches and take any actions that the wiki requester is allowed to take from there.
Commit 02e0f298f8d35155c39aa74193cb7b867432c5b8 fixes the issue. Important note about the fix: This vulnerability has been fixed by disabling access to the REST API and special pages outside of the wiki configured as the "global wiki" in `$wgCreateWikiGlobalWiki` in a user's MediaWiki settings.
As a workaround, it is possible to disable the special pages outside of one's own global wiki by doing something similar to `miraheze/mw-config` commit e5664995fbb8644f9a80b450b4326194f20f9ddc that is adapted to one's own setup. As for the REST API, before the fix, there wasn't any REST endpoint that allowed one to make writes. Regardless, it is possible to also disable it outside of the global wiki by using `$wgCreateWikiDisableRESTAPI` and `$wgConf` in the configuration for one's own wiki farm..
Severity ?
5.9 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miraheze | CreateWiki |
Affected:
< 02e0f298f8d35155c39aa74193cb7b867432c5b8
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:miraheze:createwiki:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "createwiki",
"vendor": "miraheze",
"versions": [
{
"lessThan": "02e0f298f8d35155c39aa74193cb7b867432c5b8 ",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34701",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-14T17:28:58.059975Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T19:06:13.272Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:59:21.802Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-89fx-77w7-rc64",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-89fx-77w7-rc64"
},
{
"name": "https://github.com/miraheze/CreateWiki/commit/02e0f298f8d35155c39aa74193cb7b867432c5b8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/miraheze/CreateWiki/commit/02e0f298f8d35155c39aa74193cb7b867432c5b8"
},
{
"name": "https://github.com/miraheze/mw-config/commit/1798e53901a202b62edab32f8bcd5c6b9e574191",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/miraheze/mw-config/commit/1798e53901a202b62edab32f8bcd5c6b9e574191"
},
{
"name": "https://github.com/miraheze/mw-config/commit/e5664995fbb8644f9a80b450b4326194f20f9ddc",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/miraheze/mw-config/commit/e5664995fbb8644f9a80b450b4326194f20f9ddc"
},
{
"name": "https://issue-tracker.miraheze.org/T12011",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issue-tracker.miraheze.org/T12011"
},
{
"name": "https://issue-tracker.miraheze.org/T12102",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issue-tracker.miraheze.org/T12102"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CreateWiki",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "\u003c 02e0f298f8d35155c39aa74193cb7b867432c5b8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CreateWiki is Miraheze\u0027s MediaWiki extension for requesting \u0026 creating wikis. It is possible for users to be considered as the requester of a specific wiki request if their local user ID on any wiki in a wiki farm matches the local ID of the requester at the wiki where the wiki request was made. This allows them to go to that request entry\u0027s on Special:RequestWikiQueue on the wiki where their local user ID matches and take any actions that the wiki requester is allowed to take from there.\n\nCommit 02e0f298f8d35155c39aa74193cb7b867432c5b8 fixes the issue. Important note about the fix: This vulnerability has been fixed by disabling access to the REST API and special pages outside of the wiki configured as the \"global wiki\" in `$wgCreateWikiGlobalWiki` in a user\u0027s MediaWiki settings.\n\nAs a workaround, it is possible to disable the special pages outside of one\u0027s own global wiki by doing something similar to `miraheze/mw-config` commit e5664995fbb8644f9a80b450b4326194f20f9ddc that is adapted to one\u0027s own setup. As for the REST API, before the fix, there wasn\u0027t any REST endpoint that allowed one to make writes. Regardless, it is possible to also disable it outside of the global wiki by using `$wgCreateWikiDisableRESTAPI` and `$wgConf` in the configuration for one\u0027s own wiki farm.."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-13T15:54:12.956Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-89fx-77w7-rc64",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-89fx-77w7-rc64"
},
{
"name": "https://github.com/miraheze/CreateWiki/commit/02e0f298f8d35155c39aa74193cb7b867432c5b8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/CreateWiki/commit/02e0f298f8d35155c39aa74193cb7b867432c5b8"
},
{
"name": "https://github.com/miraheze/mw-config/commit/1798e53901a202b62edab32f8bcd5c6b9e574191",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/mw-config/commit/1798e53901a202b62edab32f8bcd5c6b9e574191"
},
{
"name": "https://github.com/miraheze/mw-config/commit/e5664995fbb8644f9a80b450b4326194f20f9ddc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/mw-config/commit/e5664995fbb8644f9a80b450b4326194f20f9ddc"
},
{
"name": "https://issue-tracker.miraheze.org/T12011",
"tags": [
"x_refsource_MISC"
],
"url": "https://issue-tracker.miraheze.org/T12011"
},
{
"name": "https://issue-tracker.miraheze.org/T12102",
"tags": [
"x_refsource_MISC"
],
"url": "https://issue-tracker.miraheze.org/T12102"
}
],
"source": {
"advisory": "GHSA-89fx-77w7-rc64",
"discovery": "UNKNOWN"
},
"title": "CreateWiki vulnerable to impersonation of wiki requester"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34701",
"datePublished": "2024-05-13T15:54:12.956Z",
"dateReserved": "2024-05-07T13:53:00.132Z",
"dateUpdated": "2024-08-02T02:59:21.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29898 (GCVE-0-2024-29898)
Vulnerability from cvelistv5 – Published: 2024-03-28 13:43 – Updated: 2024-08-02 01:17
VLAI?
Title
Oversight in fix for GHSA-4rcf-3cj2-46mq may have exposed suppressed wiki requests on private wikis
Summary
CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. An oversight during the writing of the patch for CVE-2024-29897 may have exposed suppressed wiki requests to private wikis that added Special:RequestWikiQueue to the read whitelist to users without the `(read)` permission. This vulnerability is fixed in 8f8442ed5299510ea3e58416004b9334134c149c.
Severity ?
4.9 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miraheze | CreateWiki |
Affected:
23415c17ffb4832667c06abcf1eadadefd4c8937
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29898",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-10T19:46:01.481261Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:56:54.259Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:17:58.434Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-5rcv-cf88-gv8v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-5rcv-cf88-gv8v"
},
{
"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq"
},
{
"name": "https://github.com/miraheze/CreateWiki/commit/8f8442ed5299510ea3e58416004b9334134c149c",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/miraheze/CreateWiki/commit/8f8442ed5299510ea3e58416004b9334134c149c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CreateWiki",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "23415c17ffb4832667c06abcf1eadadefd4c8937"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CreateWiki is Miraheze\u0027s MediaWiki extension for requesting \u0026 creating wikis. An oversight during the writing of the patch for CVE-2024-29897 may have exposed suppressed wiki requests to private wikis that added Special:RequestWikiQueue to the read whitelist to users without the `(read)` permission. This vulnerability is fixed in 8f8442ed5299510ea3e58416004b9334134c149c."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-28T13:43:07.988Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-5rcv-cf88-gv8v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-5rcv-cf88-gv8v"
},
{
"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq"
},
{
"name": "https://github.com/miraheze/CreateWiki/commit/8f8442ed5299510ea3e58416004b9334134c149c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/CreateWiki/commit/8f8442ed5299510ea3e58416004b9334134c149c"
}
],
"source": {
"advisory": "GHSA-5rcv-cf88-gv8v",
"discovery": "UNKNOWN"
},
"title": "Oversight in fix for GHSA-4rcf-3cj2-46mq may have exposed suppressed wiki requests on private wikis"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29898",
"datePublished": "2024-03-28T13:43:07.988Z",
"dateReserved": "2024-03-21T15:12:08.998Z",
"dateUpdated": "2024-08-02T01:17:58.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29897 (GCVE-0-2024-29897)
Vulnerability from cvelistv5 – Published: 2024-03-28 13:40 – Updated: 2024-09-03 18:09
VLAI?
Title
CreateWiki Leak of suppressed wiki requests outside of `CreateWikiGlobalWiki`
Summary
CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. It is possible for users with (delete) or (suppressrevision) on any wiki in the farm to access suppressed wiki requests by going to the request's entry on Special:RequestWikiQueue on the wiki where they have these rights. The same vulnerability was present briefly on the REST API before being quickly corrected in commit `6bc0685`. To our knowledge, the vulnerable commits of the REST API are not running in production anywhere. This vulnerability is fixed in 23415c17ffb4832667c06abcf1eadadefd4c8937.
Severity ?
4.9 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miraheze | CreateWiki |
Affected:
< 23415c17ffb4832667c06abcf1eadadefd4c8937
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:17:58.463Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq"
},
{
"name": "https://github.com/miraheze/mw-config/commit/fb3e68bcef459e9cf2a415241b28042a6c9727e8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/miraheze/mw-config/commit/fb3e68bcef459e9cf2a415241b28042a6c9727e8"
},
{
"name": "https://issue-tracker.miraheze.org/F3093343",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issue-tracker.miraheze.org/F3093343"
},
{
"name": "https://issue-tracker.miraheze.org/T11999",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issue-tracker.miraheze.org/T11999"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29897",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T19:39:30.333387Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T18:09:56.991Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CreateWiki",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "\u003c 23415c17ffb4832667c06abcf1eadadefd4c8937"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CreateWiki is Miraheze\u0027s MediaWiki extension for requesting \u0026 creating wikis. It is possible for users with (delete) or (suppressrevision) on any wiki in the farm to access suppressed wiki requests by going to the request\u0027s entry on Special:RequestWikiQueue on the wiki where they have these rights. The same vulnerability was present briefly on the REST API before being quickly corrected in commit `6bc0685`. To our knowledge, the vulnerable commits of the REST API are not running in production anywhere. This vulnerability is fixed in 23415c17ffb4832667c06abcf1eadadefd4c8937."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-28T13:40:43.231Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq"
},
{
"name": "https://github.com/miraheze/mw-config/commit/fb3e68bcef459e9cf2a415241b28042a6c9727e8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/mw-config/commit/fb3e68bcef459e9cf2a415241b28042a6c9727e8"
},
{
"name": "https://issue-tracker.miraheze.org/F3093343",
"tags": [
"x_refsource_MISC"
],
"url": "https://issue-tracker.miraheze.org/F3093343"
},
{
"name": "https://issue-tracker.miraheze.org/T11999",
"tags": [
"x_refsource_MISC"
],
"url": "https://issue-tracker.miraheze.org/T11999"
}
],
"source": {
"advisory": "GHSA-4rcf-3cj2-46mq",
"discovery": "UNKNOWN"
},
"title": "CreateWiki Leak of suppressed wiki requests outside of `CreateWikiGlobalWiki`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29897",
"datePublished": "2024-03-28T13:40:43.231Z",
"dateReserved": "2024-03-21T15:12:08.998Z",
"dateUpdated": "2024-09-03T18:09:56.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29883 (GCVE-0-2024-29883)
Vulnerability from cvelistv5 – Published: 2024-03-26 13:37 – Updated: 2024-08-02 17:16
VLAI?
Title
CreateWiki's wiki request suppression ignores the suppression settings set by the suppressor
Summary
CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. Suppression of wiki requests does not work as intended, and always restricts visibility to those with the `(createwiki)` user right regardless of the settings one sets on a given wiki request. This may expose information to users who are not supposed to be able to access it.
Severity ?
4.9 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miraheze | CreateWiki |
Affected:
< 0c7c4f93834349be8f5c2a678e9a85b4b1aa7bab
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:17:58.031Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-8wjf-mxjg-j8p9",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-8wjf-mxjg-j8p9"
},
{
"name": "https://gist.githubusercontent.com/redbluegreenhat/0da1ebb7185b241ce1ac6ba1e8f0b98d/raw/44c4a229aacc8233808c767a79af9e4fd581ae68/T11993.patch",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.githubusercontent.com/redbluegreenhat/0da1ebb7185b241ce1ac6ba1e8f0b98d/raw/44c4a229aacc8233808c767a79af9e4fd581ae68/T11993.patch"
},
{
"name": "https://issue-tracker.miraheze.org/T11993",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issue-tracker.miraheze.org/T11993"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29883",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T17:15:27.957415Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T17:16:09.525Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CreateWiki",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "\u003c 0c7c4f93834349be8f5c2a678e9a85b4b1aa7bab"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CreateWiki is Miraheze\u0027s MediaWiki extension for requesting \u0026 creating wikis. Suppression of wiki requests does not work as intended, and always restricts visibility to those with the `(createwiki)` user right regardless of the settings one sets on a given wiki request. This may expose information to users who are not supposed to be able to access it."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-26T13:37:48.662Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-8wjf-mxjg-j8p9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-8wjf-mxjg-j8p9"
},
{
"name": "https://gist.githubusercontent.com/redbluegreenhat/0da1ebb7185b241ce1ac6ba1e8f0b98d/raw/44c4a229aacc8233808c767a79af9e4fd581ae68/T11993.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.githubusercontent.com/redbluegreenhat/0da1ebb7185b241ce1ac6ba1e8f0b98d/raw/44c4a229aacc8233808c767a79af9e4fd581ae68/T11993.patch"
},
{
"name": "https://issue-tracker.miraheze.org/T11993",
"tags": [
"x_refsource_MISC"
],
"url": "https://issue-tracker.miraheze.org/T11993"
}
],
"source": {
"advisory": "GHSA-8wjf-mxjg-j8p9",
"discovery": "UNKNOWN"
},
"title": "CreateWiki\u0027s wiki request suppression ignores the suppression settings set by the suppressor"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29883",
"datePublished": "2024-03-26T13:37:48.662Z",
"dateReserved": "2024-03-21T15:12:08.997Z",
"dateUpdated": "2024-08-02T17:16:09.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24813 (GCVE-0-2022-24813)
Vulnerability from cvelistv5 – Published: 2022-04-04 17:40 – Updated: 2025-04-23 18:41
VLAI?
Title
Authentication Bypass Using an Alternate Path or Channel in CreateWiki
Summary
CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. Without the patch for this issue, anonymous comments can be made using Special:RequestWikiQueue when sent directly via POST. A patch for this issue is available in the `master` branch of CreateWiki's GitHub repository.
Severity ?
5.3 (Medium)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miraheze | CreateWiki |
Affected:
< d0ae79843d689832ccac765d6b1721e668d99ab9
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.617Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-9xvw-w66v-prvg"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/miraheze/CreateWiki/commit/d0ae79843d689832ccac765d6b1721e668d99ab9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://phabricator.miraheze.org/T9018"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24813",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:56:04.159218Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:41:50.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CreateWiki",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "\u003c d0ae79843d689832ccac765d6b1721e668d99ab9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CreateWiki is Miraheze\u0027s MediaWiki extension for requesting \u0026 creating wikis. Without the patch for this issue, anonymous comments can be made using Special:RequestWikiQueue when sent directly via POST. A patch for this issue is available in the `master` branch of CreateWiki\u0027s GitHub repository."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T17:40:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-9xvw-w66v-prvg"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/CreateWiki/commit/d0ae79843d689832ccac765d6b1721e668d99ab9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://phabricator.miraheze.org/T9018"
}
],
"source": {
"advisory": "GHSA-9xvw-w66v-prvg",
"discovery": "UNKNOWN"
},
"title": "Authentication Bypass Using an Alternate Path or Channel in CreateWiki",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24813",
"STATE": "PUBLIC",
"TITLE": "Authentication Bypass Using an Alternate Path or Channel in CreateWiki"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CreateWiki",
"version": {
"version_data": [
{
"version_value": "\u003c d0ae79843d689832ccac765d6b1721e668d99ab9"
}
]
}
}
]
},
"vendor_name": "miraheze"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CreateWiki is Miraheze\u0027s MediaWiki extension for requesting \u0026 creating wikis. Without the patch for this issue, anonymous comments can be made using Special:RequestWikiQueue when sent directly via POST. A patch for this issue is available in the `master` branch of CreateWiki\u0027s GitHub repository."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-288: Authentication Bypass Using an Alternate Path or Channel"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-9xvw-w66v-prvg",
"refsource": "CONFIRM",
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-9xvw-w66v-prvg"
},
{
"name": "https://github.com/miraheze/CreateWiki/commit/d0ae79843d689832ccac765d6b1721e668d99ab9",
"refsource": "MISC",
"url": "https://github.com/miraheze/CreateWiki/commit/d0ae79843d689832ccac765d6b1721e668d99ab9"
},
{
"name": "https://phabricator.miraheze.org/T9018",
"refsource": "MISC",
"url": "https://phabricator.miraheze.org/T9018"
}
]
},
"source": {
"advisory": "GHSA-9xvw-w66v-prvg",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24813",
"datePublished": "2022-04-04T17:40:11.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:41:50.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47781 (GCVE-0-2024-47781)
Vulnerability from nvd – Published: 2024-10-07 21:30 – Updated: 2024-10-08 14:13
VLAI?
Title
Cross-site Scripting (XSS) in Special:RequestWikiQueue when displaying sitename in CreateWiki
Summary
CreateWiki is an extension used at Miraheze for requesting & creating wikis. The name of requested wikis is not escaped on Special:RequestWikiQueue, so a user can insert arbitrary HTML that is displayed in the request wiki queue when requesting a wiki. If a wiki creator comes across the XSS payload, their user session can be abused to retrieve deleted wiki requests, which typically contains private information. Likewise, this can also be abused on those with the ability to suppress requests to view sensitive information. This issue has been patched with commit `693a220` and all users are advised to apply the patch. Users unable to upgrade should disable Javascript and/or prevent access to the vulnerable page (Special:RequestWikiQueue).
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miraheze | CreateWiki |
Affected:
commits before 693a220f399ee7eb4d00e77c3c667e864b1bd306
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47781",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T14:13:12.961123Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T14:13:28.705Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CreateWiki",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "commits before 693a220f399ee7eb4d00e77c3c667e864b1bd306"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CreateWiki is an extension used at Miraheze for requesting \u0026 creating wikis. The name of requested wikis is not escaped on Special:RequestWikiQueue, so a user can insert arbitrary HTML that is displayed in the request wiki queue when requesting a wiki. If a wiki creator comes across the XSS payload, their user session can be abused to retrieve deleted wiki requests, which typically contains private information. Likewise, this can also be abused on those with the ability to suppress requests to view sensitive information. This issue has been patched with commit `693a220` and all users are advised to apply the patch. Users unable to upgrade should disable Javascript and/or prevent access to the vulnerable page (Special:RequestWikiQueue)."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T21:30:23.058Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-h527-jh77-5g7j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-h527-jh77-5g7j"
},
{
"name": "https://github.com/miraheze/CreateWiki/commit/693a220f399ee7eb4d00e77c3c667e864b1bd306",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/CreateWiki/commit/693a220f399ee7eb4d00e77c3c667e864b1bd306"
},
{
"name": "https://issue-tracker.miraheze.org/T12693",
"tags": [
"x_refsource_MISC"
],
"url": "https://issue-tracker.miraheze.org/T12693"
}
],
"source": {
"advisory": "GHSA-h527-jh77-5g7j",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting (XSS) in Special:RequestWikiQueue when displaying sitename in CreateWiki"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47781",
"datePublished": "2024-10-07T21:30:23.058Z",
"dateReserved": "2024-09-30T21:28:53.236Z",
"dateUpdated": "2024-10-08T14:13:28.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34701 (GCVE-0-2024-34701)
Vulnerability from nvd – Published: 2024-05-13 15:54 – Updated: 2024-08-02 02:59
VLAI?
Title
CreateWiki vulnerable to impersonation of wiki requester
Summary
CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. It is possible for users to be considered as the requester of a specific wiki request if their local user ID on any wiki in a wiki farm matches the local ID of the requester at the wiki where the wiki request was made. This allows them to go to that request entry's on Special:RequestWikiQueue on the wiki where their local user ID matches and take any actions that the wiki requester is allowed to take from there.
Commit 02e0f298f8d35155c39aa74193cb7b867432c5b8 fixes the issue. Important note about the fix: This vulnerability has been fixed by disabling access to the REST API and special pages outside of the wiki configured as the "global wiki" in `$wgCreateWikiGlobalWiki` in a user's MediaWiki settings.
As a workaround, it is possible to disable the special pages outside of one's own global wiki by doing something similar to `miraheze/mw-config` commit e5664995fbb8644f9a80b450b4326194f20f9ddc that is adapted to one's own setup. As for the REST API, before the fix, there wasn't any REST endpoint that allowed one to make writes. Regardless, it is possible to also disable it outside of the global wiki by using `$wgCreateWikiDisableRESTAPI` and `$wgConf` in the configuration for one's own wiki farm..
Severity ?
5.9 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miraheze | CreateWiki |
Affected:
< 02e0f298f8d35155c39aa74193cb7b867432c5b8
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:miraheze:createwiki:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "createwiki",
"vendor": "miraheze",
"versions": [
{
"lessThan": "02e0f298f8d35155c39aa74193cb7b867432c5b8 ",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34701",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-14T17:28:58.059975Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T19:06:13.272Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:59:21.802Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-89fx-77w7-rc64",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-89fx-77w7-rc64"
},
{
"name": "https://github.com/miraheze/CreateWiki/commit/02e0f298f8d35155c39aa74193cb7b867432c5b8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/miraheze/CreateWiki/commit/02e0f298f8d35155c39aa74193cb7b867432c5b8"
},
{
"name": "https://github.com/miraheze/mw-config/commit/1798e53901a202b62edab32f8bcd5c6b9e574191",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/miraheze/mw-config/commit/1798e53901a202b62edab32f8bcd5c6b9e574191"
},
{
"name": "https://github.com/miraheze/mw-config/commit/e5664995fbb8644f9a80b450b4326194f20f9ddc",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/miraheze/mw-config/commit/e5664995fbb8644f9a80b450b4326194f20f9ddc"
},
{
"name": "https://issue-tracker.miraheze.org/T12011",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issue-tracker.miraheze.org/T12011"
},
{
"name": "https://issue-tracker.miraheze.org/T12102",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issue-tracker.miraheze.org/T12102"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CreateWiki",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "\u003c 02e0f298f8d35155c39aa74193cb7b867432c5b8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CreateWiki is Miraheze\u0027s MediaWiki extension for requesting \u0026 creating wikis. It is possible for users to be considered as the requester of a specific wiki request if their local user ID on any wiki in a wiki farm matches the local ID of the requester at the wiki where the wiki request was made. This allows them to go to that request entry\u0027s on Special:RequestWikiQueue on the wiki where their local user ID matches and take any actions that the wiki requester is allowed to take from there.\n\nCommit 02e0f298f8d35155c39aa74193cb7b867432c5b8 fixes the issue. Important note about the fix: This vulnerability has been fixed by disabling access to the REST API and special pages outside of the wiki configured as the \"global wiki\" in `$wgCreateWikiGlobalWiki` in a user\u0027s MediaWiki settings.\n\nAs a workaround, it is possible to disable the special pages outside of one\u0027s own global wiki by doing something similar to `miraheze/mw-config` commit e5664995fbb8644f9a80b450b4326194f20f9ddc that is adapted to one\u0027s own setup. As for the REST API, before the fix, there wasn\u0027t any REST endpoint that allowed one to make writes. Regardless, it is possible to also disable it outside of the global wiki by using `$wgCreateWikiDisableRESTAPI` and `$wgConf` in the configuration for one\u0027s own wiki farm.."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-13T15:54:12.956Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-89fx-77w7-rc64",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-89fx-77w7-rc64"
},
{
"name": "https://github.com/miraheze/CreateWiki/commit/02e0f298f8d35155c39aa74193cb7b867432c5b8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/CreateWiki/commit/02e0f298f8d35155c39aa74193cb7b867432c5b8"
},
{
"name": "https://github.com/miraheze/mw-config/commit/1798e53901a202b62edab32f8bcd5c6b9e574191",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/mw-config/commit/1798e53901a202b62edab32f8bcd5c6b9e574191"
},
{
"name": "https://github.com/miraheze/mw-config/commit/e5664995fbb8644f9a80b450b4326194f20f9ddc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/mw-config/commit/e5664995fbb8644f9a80b450b4326194f20f9ddc"
},
{
"name": "https://issue-tracker.miraheze.org/T12011",
"tags": [
"x_refsource_MISC"
],
"url": "https://issue-tracker.miraheze.org/T12011"
},
{
"name": "https://issue-tracker.miraheze.org/T12102",
"tags": [
"x_refsource_MISC"
],
"url": "https://issue-tracker.miraheze.org/T12102"
}
],
"source": {
"advisory": "GHSA-89fx-77w7-rc64",
"discovery": "UNKNOWN"
},
"title": "CreateWiki vulnerable to impersonation of wiki requester"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34701",
"datePublished": "2024-05-13T15:54:12.956Z",
"dateReserved": "2024-05-07T13:53:00.132Z",
"dateUpdated": "2024-08-02T02:59:21.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29898 (GCVE-0-2024-29898)
Vulnerability from nvd – Published: 2024-03-28 13:43 – Updated: 2024-08-02 01:17
VLAI?
Title
Oversight in fix for GHSA-4rcf-3cj2-46mq may have exposed suppressed wiki requests on private wikis
Summary
CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. An oversight during the writing of the patch for CVE-2024-29897 may have exposed suppressed wiki requests to private wikis that added Special:RequestWikiQueue to the read whitelist to users without the `(read)` permission. This vulnerability is fixed in 8f8442ed5299510ea3e58416004b9334134c149c.
Severity ?
4.9 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miraheze | CreateWiki |
Affected:
23415c17ffb4832667c06abcf1eadadefd4c8937
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29898",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-10T19:46:01.481261Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:56:54.259Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:17:58.434Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-5rcv-cf88-gv8v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-5rcv-cf88-gv8v"
},
{
"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq"
},
{
"name": "https://github.com/miraheze/CreateWiki/commit/8f8442ed5299510ea3e58416004b9334134c149c",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/miraheze/CreateWiki/commit/8f8442ed5299510ea3e58416004b9334134c149c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CreateWiki",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "23415c17ffb4832667c06abcf1eadadefd4c8937"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CreateWiki is Miraheze\u0027s MediaWiki extension for requesting \u0026 creating wikis. An oversight during the writing of the patch for CVE-2024-29897 may have exposed suppressed wiki requests to private wikis that added Special:RequestWikiQueue to the read whitelist to users without the `(read)` permission. This vulnerability is fixed in 8f8442ed5299510ea3e58416004b9334134c149c."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-28T13:43:07.988Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-5rcv-cf88-gv8v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-5rcv-cf88-gv8v"
},
{
"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq"
},
{
"name": "https://github.com/miraheze/CreateWiki/commit/8f8442ed5299510ea3e58416004b9334134c149c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/CreateWiki/commit/8f8442ed5299510ea3e58416004b9334134c149c"
}
],
"source": {
"advisory": "GHSA-5rcv-cf88-gv8v",
"discovery": "UNKNOWN"
},
"title": "Oversight in fix for GHSA-4rcf-3cj2-46mq may have exposed suppressed wiki requests on private wikis"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29898",
"datePublished": "2024-03-28T13:43:07.988Z",
"dateReserved": "2024-03-21T15:12:08.998Z",
"dateUpdated": "2024-08-02T01:17:58.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29897 (GCVE-0-2024-29897)
Vulnerability from nvd – Published: 2024-03-28 13:40 – Updated: 2024-09-03 18:09
VLAI?
Title
CreateWiki Leak of suppressed wiki requests outside of `CreateWikiGlobalWiki`
Summary
CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. It is possible for users with (delete) or (suppressrevision) on any wiki in the farm to access suppressed wiki requests by going to the request's entry on Special:RequestWikiQueue on the wiki where they have these rights. The same vulnerability was present briefly on the REST API before being quickly corrected in commit `6bc0685`. To our knowledge, the vulnerable commits of the REST API are not running in production anywhere. This vulnerability is fixed in 23415c17ffb4832667c06abcf1eadadefd4c8937.
Severity ?
4.9 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miraheze | CreateWiki |
Affected:
< 23415c17ffb4832667c06abcf1eadadefd4c8937
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:17:58.463Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq"
},
{
"name": "https://github.com/miraheze/mw-config/commit/fb3e68bcef459e9cf2a415241b28042a6c9727e8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/miraheze/mw-config/commit/fb3e68bcef459e9cf2a415241b28042a6c9727e8"
},
{
"name": "https://issue-tracker.miraheze.org/F3093343",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issue-tracker.miraheze.org/F3093343"
},
{
"name": "https://issue-tracker.miraheze.org/T11999",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issue-tracker.miraheze.org/T11999"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29897",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T19:39:30.333387Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T18:09:56.991Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CreateWiki",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "\u003c 23415c17ffb4832667c06abcf1eadadefd4c8937"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CreateWiki is Miraheze\u0027s MediaWiki extension for requesting \u0026 creating wikis. It is possible for users with (delete) or (suppressrevision) on any wiki in the farm to access suppressed wiki requests by going to the request\u0027s entry on Special:RequestWikiQueue on the wiki where they have these rights. The same vulnerability was present briefly on the REST API before being quickly corrected in commit `6bc0685`. To our knowledge, the vulnerable commits of the REST API are not running in production anywhere. This vulnerability is fixed in 23415c17ffb4832667c06abcf1eadadefd4c8937."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-28T13:40:43.231Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq"
},
{
"name": "https://github.com/miraheze/mw-config/commit/fb3e68bcef459e9cf2a415241b28042a6c9727e8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/mw-config/commit/fb3e68bcef459e9cf2a415241b28042a6c9727e8"
},
{
"name": "https://issue-tracker.miraheze.org/F3093343",
"tags": [
"x_refsource_MISC"
],
"url": "https://issue-tracker.miraheze.org/F3093343"
},
{
"name": "https://issue-tracker.miraheze.org/T11999",
"tags": [
"x_refsource_MISC"
],
"url": "https://issue-tracker.miraheze.org/T11999"
}
],
"source": {
"advisory": "GHSA-4rcf-3cj2-46mq",
"discovery": "UNKNOWN"
},
"title": "CreateWiki Leak of suppressed wiki requests outside of `CreateWikiGlobalWiki`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29897",
"datePublished": "2024-03-28T13:40:43.231Z",
"dateReserved": "2024-03-21T15:12:08.998Z",
"dateUpdated": "2024-09-03T18:09:56.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29883 (GCVE-0-2024-29883)
Vulnerability from nvd – Published: 2024-03-26 13:37 – Updated: 2024-08-02 17:16
VLAI?
Title
CreateWiki's wiki request suppression ignores the suppression settings set by the suppressor
Summary
CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. Suppression of wiki requests does not work as intended, and always restricts visibility to those with the `(createwiki)` user right regardless of the settings one sets on a given wiki request. This may expose information to users who are not supposed to be able to access it.
Severity ?
4.9 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miraheze | CreateWiki |
Affected:
< 0c7c4f93834349be8f5c2a678e9a85b4b1aa7bab
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:17:58.031Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-8wjf-mxjg-j8p9",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-8wjf-mxjg-j8p9"
},
{
"name": "https://gist.githubusercontent.com/redbluegreenhat/0da1ebb7185b241ce1ac6ba1e8f0b98d/raw/44c4a229aacc8233808c767a79af9e4fd581ae68/T11993.patch",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.githubusercontent.com/redbluegreenhat/0da1ebb7185b241ce1ac6ba1e8f0b98d/raw/44c4a229aacc8233808c767a79af9e4fd581ae68/T11993.patch"
},
{
"name": "https://issue-tracker.miraheze.org/T11993",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issue-tracker.miraheze.org/T11993"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29883",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T17:15:27.957415Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T17:16:09.525Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CreateWiki",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "\u003c 0c7c4f93834349be8f5c2a678e9a85b4b1aa7bab"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CreateWiki is Miraheze\u0027s MediaWiki extension for requesting \u0026 creating wikis. Suppression of wiki requests does not work as intended, and always restricts visibility to those with the `(createwiki)` user right regardless of the settings one sets on a given wiki request. This may expose information to users who are not supposed to be able to access it."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-26T13:37:48.662Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-8wjf-mxjg-j8p9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-8wjf-mxjg-j8p9"
},
{
"name": "https://gist.githubusercontent.com/redbluegreenhat/0da1ebb7185b241ce1ac6ba1e8f0b98d/raw/44c4a229aacc8233808c767a79af9e4fd581ae68/T11993.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.githubusercontent.com/redbluegreenhat/0da1ebb7185b241ce1ac6ba1e8f0b98d/raw/44c4a229aacc8233808c767a79af9e4fd581ae68/T11993.patch"
},
{
"name": "https://issue-tracker.miraheze.org/T11993",
"tags": [
"x_refsource_MISC"
],
"url": "https://issue-tracker.miraheze.org/T11993"
}
],
"source": {
"advisory": "GHSA-8wjf-mxjg-j8p9",
"discovery": "UNKNOWN"
},
"title": "CreateWiki\u0027s wiki request suppression ignores the suppression settings set by the suppressor"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29883",
"datePublished": "2024-03-26T13:37:48.662Z",
"dateReserved": "2024-03-21T15:12:08.997Z",
"dateUpdated": "2024-08-02T17:16:09.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24813 (GCVE-0-2022-24813)
Vulnerability from nvd – Published: 2022-04-04 17:40 – Updated: 2025-04-23 18:41
VLAI?
Title
Authentication Bypass Using an Alternate Path or Channel in CreateWiki
Summary
CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. Without the patch for this issue, anonymous comments can be made using Special:RequestWikiQueue when sent directly via POST. A patch for this issue is available in the `master` branch of CreateWiki's GitHub repository.
Severity ?
5.3 (Medium)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miraheze | CreateWiki |
Affected:
< d0ae79843d689832ccac765d6b1721e668d99ab9
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.617Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-9xvw-w66v-prvg"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/miraheze/CreateWiki/commit/d0ae79843d689832ccac765d6b1721e668d99ab9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://phabricator.miraheze.org/T9018"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24813",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:56:04.159218Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:41:50.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CreateWiki",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "\u003c d0ae79843d689832ccac765d6b1721e668d99ab9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CreateWiki is Miraheze\u0027s MediaWiki extension for requesting \u0026 creating wikis. Without the patch for this issue, anonymous comments can be made using Special:RequestWikiQueue when sent directly via POST. A patch for this issue is available in the `master` branch of CreateWiki\u0027s GitHub repository."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T17:40:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-9xvw-w66v-prvg"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/CreateWiki/commit/d0ae79843d689832ccac765d6b1721e668d99ab9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://phabricator.miraheze.org/T9018"
}
],
"source": {
"advisory": "GHSA-9xvw-w66v-prvg",
"discovery": "UNKNOWN"
},
"title": "Authentication Bypass Using an Alternate Path or Channel in CreateWiki",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24813",
"STATE": "PUBLIC",
"TITLE": "Authentication Bypass Using an Alternate Path or Channel in CreateWiki"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CreateWiki",
"version": {
"version_data": [
{
"version_value": "\u003c d0ae79843d689832ccac765d6b1721e668d99ab9"
}
]
}
}
]
},
"vendor_name": "miraheze"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CreateWiki is Miraheze\u0027s MediaWiki extension for requesting \u0026 creating wikis. Without the patch for this issue, anonymous comments can be made using Special:RequestWikiQueue when sent directly via POST. A patch for this issue is available in the `master` branch of CreateWiki\u0027s GitHub repository."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-288: Authentication Bypass Using an Alternate Path or Channel"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-9xvw-w66v-prvg",
"refsource": "CONFIRM",
"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-9xvw-w66v-prvg"
},
{
"name": "https://github.com/miraheze/CreateWiki/commit/d0ae79843d689832ccac765d6b1721e668d99ab9",
"refsource": "MISC",
"url": "https://github.com/miraheze/CreateWiki/commit/d0ae79843d689832ccac765d6b1721e668d99ab9"
},
{
"name": "https://phabricator.miraheze.org/T9018",
"refsource": "MISC",
"url": "https://phabricator.miraheze.org/T9018"
}
]
},
"source": {
"advisory": "GHSA-9xvw-w66v-prvg",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24813",
"datePublished": "2022-04-04T17:40:11.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:41:50.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}