XSS Vulnerability in WikiDiscover Due to Unescaped Interface Messages
CVE-2024-25107

4.9MEDIUM

Key Information:

Vendor

Miraheze

Status
Wikidiscover
Vendor
CVE Published:
8 February 2024

What is CVE-2024-25107?

The WikiDiscover extension used in CreateWiki manages wikis but has a vulnerability within the Language::date function. This function processes human-readable timestamps and utilizes unescaped interface messages. Because the output is not properly sanitized, this flaw enables the injection of malicious scripts, leading to a Cross-Site Scripting (XSS) vulnerability. For exploitation on wikis, the (editinterface) permission is required. Users must update to the latest version as outlined in commit 267e763a0, as there are currently no workarounds for this issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

WikiDiscover < 267e763a0d7

References

https://github.com/miraheze/WikiDiscover/security/advisor...
x_refsource_CONFIRM
https://github.com/miraheze/WikiDiscover/commit/267e763a0...
x_refsource_MISC
https://issue-tracker.miraheze.org/T11814
x_refsource_MISC

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.