Search criteria
6 vulnerabilities found for WikiDiscover by miraheze
FKIE_CVE-2024-47782
Vulnerability from fkie_nvd - Published: 2024-10-07 22:15 - Updated: 2024-11-14 18:19
Severity ?
7.6 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. Special:WikiDiscover is a special page that lists all wikis on the wiki farm. However, the special page does not make any effort to escape the wiki name or description. Therefore, if a wiki sets its name and/or description to an XSS payload, the XSS will execute whenever the wiki is shown on Special:WikiDiscover. This issue has been patched with commit `2ce846dd93` and all users are advised to apply that patch. User unable to upgrade should block access to `Special:WikiDiscover`.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| miraheze | wikidiscover | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:miraheze:wikidiscover:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A2F76D71-5697-4335-881C-D6A8B40CF735",
"versionEndExcluding": "2024-10-06",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. Special:WikiDiscover is a special page that lists all wikis on the wiki farm. However, the special page does not make any effort to escape the wiki name or description. Therefore, if a wiki sets its name and/or description to an XSS payload, the XSS will execute whenever the wiki is shown on Special:WikiDiscover. This issue has been patched with commit `2ce846dd93` and all users are advised to apply that patch. User unable to upgrade should block access to `Special:WikiDiscover`."
},
{
"lang": "es",
"value": "WikiDiscover es una extensi\u00f3n dise\u00f1ada para usarse con una granja administrada por CreateWiki para mostrar wikis. Special:WikiDiscover es una p\u00e1gina especial que enumera todas las wikis de la granja de wikis. Sin embargo, la p\u00e1gina especial no hace ning\u00fan esfuerzo por escapar del nombre o la descripci\u00f3n de la wiki. Por lo tanto, si una wiki establece su nombre y/o descripci\u00f3n en una carga XSS, el XSS se ejecutar\u00e1 siempre que la wiki se muestre en Special:WikiDiscover. Este problema se ha corregido con el commit `2ce846dd93` y se recomienda a todos los usuarios que apliquen ese parche. Los usuarios que no puedan actualizar deben bloquear el acceso a `Special:WikiDiscover`."
}
],
"id": "CVE-2024-47782",
"lastModified": "2024-11-14T18:19:34.127",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-10-07T22:15:03.257",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/miraheze/WikiDiscover/commit/2ce846dd93ddb9ec86f7472c4d57fe71a09dc827"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-wf48-rqx3-39mf"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking",
"Product"
],
"url": "https://issue-tracker.miraheze.org/T12697"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-80"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-25107
Vulnerability from fkie_nvd - Published: 2024-02-08 23:15 - Updated: 2024-11-21 09:00
Severity ?
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. On Special:WikiDiscover, the `Language::date` function is used when making the human-readable timestamp for inclusion on the wiki_creation column. This function uses interface messages to translate the names of months and days. It uses the `->text()` output mode, returning unescaped interface messages. Since the output is not escaped later, the unescaped interface message is included on the output, resulting in an XSS vulnerability. Exploiting this on-wiki requires the `(editinterface)` right. This vulnerability has been addressed in commit `267e763a0`. Users are advised to update their installations. There are no known workarounds for this vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| miraheze | wikidiscover | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:miraheze:wikidiscover:*:*:*:*:*:*:*:*",
"matchCriteriaId": "02EFBBB8-D7A9-4849-8269-FC4BEEC45608",
"versionEndExcluding": "2023-02-08",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. On Special:WikiDiscover, the `Language::date` function is used when making the human-readable timestamp for inclusion on the wiki_creation column. This function uses interface messages to translate the names of months and days. It uses the `-\u003etext()` output mode, returning unescaped interface messages. Since the output is not escaped later, the unescaped interface message is included on the output, resulting in an XSS vulnerability. Exploiting this on-wiki requires the `(editinterface)` right. This vulnerability has been addressed in commit `267e763a0`. Users are advised to update their installations. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "WikiDiscover es una extensi\u00f3n manipulada para usarse con una granja administrada CreateWiki para mostrar wikis. En Special:WikiDiscover, la funci\u00f3n `Language::date` se utiliza al crear la marca de tiempo legible por humanos para su inclusi\u00f3n en la columna wiki_creation. Esta funci\u00f3n utiliza mensajes de interfaz para traducir los nombres de meses y d\u00edas. Utiliza el modo de salida `-\u0026gt;text()`, devolviendo mensajes de interfaz sin escape. Dado que la salida no se escapa m\u00e1s adelante, el mensaje de interfaz sin escape se incluye en la salida, lo que genera una vulnerabilidad XSS. Explotar este wiki requiere el derecho `(editinterface)`. Esta vulnerabilidad se ha solucionado en el commit `267e763a0`. Se recomienda a los usuarios que actualicen sus instalaciones. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2024-25107",
"lastModified": "2024-11-21T09:00:16.140",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-08T23:15:10.583",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/miraheze/WikiDiscover/commit/267e763a0d7460f001693c42f67717a0fc3fd6bb"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issue-tracker.miraheze.org/T11814"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/miraheze/WikiDiscover/commit/267e763a0d7460f001693c42f67717a0fc3fd6bb"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issue-tracker.miraheze.org/T11814"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
CVE-2024-47782 (GCVE-0-2024-47782)
Vulnerability from cvelistv5 – Published: 2024-10-07 21:28 – Updated: 2024-10-08 14:11
VLAI?
Title
Cross-site Scripting (XSS) in Special:WikiDiscover when displaying wiki information in WikiDiscover
Summary
WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. Special:WikiDiscover is a special page that lists all wikis on the wiki farm. However, the special page does not make any effort to escape the wiki name or description. Therefore, if a wiki sets its name and/or description to an XSS payload, the XSS will execute whenever the wiki is shown on Special:WikiDiscover. This issue has been patched with commit `2ce846dd93` and all users are advised to apply that patch. User unable to upgrade should block access to `Special:WikiDiscover`.
Severity ?
7.6 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miraheze | WikiDiscover |
Affected:
commits before 2ce846dd93ddb9ec86f7472c4d57fe71a09dc827
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47782",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T14:11:34.331700Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T14:11:43.995Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WikiDiscover",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "commits before 2ce846dd93ddb9ec86f7472c4d57fe71a09dc827"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. Special:WikiDiscover is a special page that lists all wikis on the wiki farm. However, the special page does not make any effort to escape the wiki name or description. Therefore, if a wiki sets its name and/or description to an XSS payload, the XSS will execute whenever the wiki is shown on Special:WikiDiscover. This issue has been patched with commit `2ce846dd93` and all users are advised to apply that patch. User unable to upgrade should block access to `Special:WikiDiscover`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T21:28:01.299Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-wf48-rqx3-39mf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-wf48-rqx3-39mf"
},
{
"name": "https://github.com/miraheze/WikiDiscover/commit/2ce846dd93ddb9ec86f7472c4d57fe71a09dc827",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/WikiDiscover/commit/2ce846dd93ddb9ec86f7472c4d57fe71a09dc827"
},
{
"name": "https://issue-tracker.miraheze.org/T12697",
"tags": [
"x_refsource_MISC"
],
"url": "https://issue-tracker.miraheze.org/T12697"
}
],
"source": {
"advisory": "GHSA-wf48-rqx3-39mf",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting (XSS) in Special:WikiDiscover when displaying wiki information in WikiDiscover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47782",
"datePublished": "2024-10-07T21:28:01.299Z",
"dateReserved": "2024-09-30T21:28:53.236Z",
"dateUpdated": "2024-10-08T14:11:43.995Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-25107 (GCVE-0-2024-25107)
Vulnerability from cvelistv5 – Published: 2024-02-08 22:46 – Updated: 2025-06-17 21:29
VLAI?
Title
Cross-Site Scripting in WikiDiscover
Summary
WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. On Special:WikiDiscover, the `Language::date` function is used when making the human-readable timestamp for inclusion on the wiki_creation column. This function uses interface messages to translate the names of months and days. It uses the `->text()` output mode, returning unescaped interface messages. Since the output is not escaped later, the unescaped interface message is included on the output, resulting in an XSS vulnerability. Exploiting this on-wiki requires the `(editinterface)` right. This vulnerability has been addressed in commit `267e763a0`. Users are advised to update their installations. There are no known workarounds for this vulnerability.
Severity ?
4.9 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miraheze | WikiDiscover |
Affected:
< 267e763a0d7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:36:21.571Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455f",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455f"
},
{
"name": "https://github.com/miraheze/WikiDiscover/commit/267e763a0d7460f001693c42f67717a0fc3fd6bb",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/miraheze/WikiDiscover/commit/267e763a0d7460f001693c42f67717a0fc3fd6bb"
},
{
"name": "https://issue-tracker.miraheze.org/T11814",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issue-tracker.miraheze.org/T11814"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25107",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-09T17:17:16.716313Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:29:29.418Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WikiDiscover",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "\u003c 267e763a0d7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. On Special:WikiDiscover, the `Language::date` function is used when making the human-readable timestamp for inclusion on the wiki_creation column. This function uses interface messages to translate the names of months and days. It uses the `-\u003etext()` output mode, returning unescaped interface messages. Since the output is not escaped later, the unescaped interface message is included on the output, resulting in an XSS vulnerability. Exploiting this on-wiki requires the `(editinterface)` right. This vulnerability has been addressed in commit `267e763a0`. Users are advised to update their installations. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-08T22:46:39.144Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455f"
},
{
"name": "https://github.com/miraheze/WikiDiscover/commit/267e763a0d7460f001693c42f67717a0fc3fd6bb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/WikiDiscover/commit/267e763a0d7460f001693c42f67717a0fc3fd6bb"
},
{
"name": "https://issue-tracker.miraheze.org/T11814",
"tags": [
"x_refsource_MISC"
],
"url": "https://issue-tracker.miraheze.org/T11814"
}
],
"source": {
"advisory": "GHSA-cfcf-94jv-455f",
"discovery": "UNKNOWN"
},
"title": "Cross-Site Scripting in WikiDiscover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-25107",
"datePublished": "2024-02-08T22:46:39.144Z",
"dateReserved": "2024-02-05T14:14:46.378Z",
"dateUpdated": "2025-06-17T21:29:29.418Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47782 (GCVE-0-2024-47782)
Vulnerability from nvd – Published: 2024-10-07 21:28 – Updated: 2024-10-08 14:11
VLAI?
Title
Cross-site Scripting (XSS) in Special:WikiDiscover when displaying wiki information in WikiDiscover
Summary
WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. Special:WikiDiscover is a special page that lists all wikis on the wiki farm. However, the special page does not make any effort to escape the wiki name or description. Therefore, if a wiki sets its name and/or description to an XSS payload, the XSS will execute whenever the wiki is shown on Special:WikiDiscover. This issue has been patched with commit `2ce846dd93` and all users are advised to apply that patch. User unable to upgrade should block access to `Special:WikiDiscover`.
Severity ?
7.6 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miraheze | WikiDiscover |
Affected:
commits before 2ce846dd93ddb9ec86f7472c4d57fe71a09dc827
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47782",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T14:11:34.331700Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T14:11:43.995Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WikiDiscover",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "commits before 2ce846dd93ddb9ec86f7472c4d57fe71a09dc827"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. Special:WikiDiscover is a special page that lists all wikis on the wiki farm. However, the special page does not make any effort to escape the wiki name or description. Therefore, if a wiki sets its name and/or description to an XSS payload, the XSS will execute whenever the wiki is shown on Special:WikiDiscover. This issue has been patched with commit `2ce846dd93` and all users are advised to apply that patch. User unable to upgrade should block access to `Special:WikiDiscover`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T21:28:01.299Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-wf48-rqx3-39mf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-wf48-rqx3-39mf"
},
{
"name": "https://github.com/miraheze/WikiDiscover/commit/2ce846dd93ddb9ec86f7472c4d57fe71a09dc827",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/WikiDiscover/commit/2ce846dd93ddb9ec86f7472c4d57fe71a09dc827"
},
{
"name": "https://issue-tracker.miraheze.org/T12697",
"tags": [
"x_refsource_MISC"
],
"url": "https://issue-tracker.miraheze.org/T12697"
}
],
"source": {
"advisory": "GHSA-wf48-rqx3-39mf",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting (XSS) in Special:WikiDiscover when displaying wiki information in WikiDiscover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47782",
"datePublished": "2024-10-07T21:28:01.299Z",
"dateReserved": "2024-09-30T21:28:53.236Z",
"dateUpdated": "2024-10-08T14:11:43.995Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-25107 (GCVE-0-2024-25107)
Vulnerability from nvd – Published: 2024-02-08 22:46 – Updated: 2025-06-17 21:29
VLAI?
Title
Cross-Site Scripting in WikiDiscover
Summary
WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. On Special:WikiDiscover, the `Language::date` function is used when making the human-readable timestamp for inclusion on the wiki_creation column. This function uses interface messages to translate the names of months and days. It uses the `->text()` output mode, returning unescaped interface messages. Since the output is not escaped later, the unescaped interface message is included on the output, resulting in an XSS vulnerability. Exploiting this on-wiki requires the `(editinterface)` right. This vulnerability has been addressed in commit `267e763a0`. Users are advised to update their installations. There are no known workarounds for this vulnerability.
Severity ?
4.9 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miraheze | WikiDiscover |
Affected:
< 267e763a0d7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:36:21.571Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455f",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455f"
},
{
"name": "https://github.com/miraheze/WikiDiscover/commit/267e763a0d7460f001693c42f67717a0fc3fd6bb",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/miraheze/WikiDiscover/commit/267e763a0d7460f001693c42f67717a0fc3fd6bb"
},
{
"name": "https://issue-tracker.miraheze.org/T11814",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issue-tracker.miraheze.org/T11814"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25107",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-09T17:17:16.716313Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:29:29.418Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WikiDiscover",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "\u003c 267e763a0d7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. On Special:WikiDiscover, the `Language::date` function is used when making the human-readable timestamp for inclusion on the wiki_creation column. This function uses interface messages to translate the names of months and days. It uses the `-\u003etext()` output mode, returning unescaped interface messages. Since the output is not escaped later, the unescaped interface message is included on the output, resulting in an XSS vulnerability. Exploiting this on-wiki requires the `(editinterface)` right. This vulnerability has been addressed in commit `267e763a0`. Users are advised to update their installations. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-08T22:46:39.144Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455f"
},
{
"name": "https://github.com/miraheze/WikiDiscover/commit/267e763a0d7460f001693c42f67717a0fc3fd6bb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/WikiDiscover/commit/267e763a0d7460f001693c42f67717a0fc3fd6bb"
},
{
"name": "https://issue-tracker.miraheze.org/T11814",
"tags": [
"x_refsource_MISC"
],
"url": "https://issue-tracker.miraheze.org/T11814"
}
],
"source": {
"advisory": "GHSA-cfcf-94jv-455f",
"discovery": "UNKNOWN"
},
"title": "Cross-Site Scripting in WikiDiscover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-25107",
"datePublished": "2024-02-08T22:46:39.144Z",
"dateReserved": "2024-02-05T14:14:46.378Z",
"dateUpdated": "2025-06-17T21:29:29.418Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}