XSS Vulnerability in WikiDiscover Due to Unescaped Interface Messages
CVE-2024-25107

6.1MEDIUM

Key Information:

Vendor

miraheze

Status
WikiDiscover
Vendor
CVE Published:
8 February 2024
đź”” Create miraheze Vulnerability Alert

What is CVE-2024-25107?

The WikiDiscover extension used in CreateWiki manages wikis but has a vulnerability within the Language::date function. This function processes human-readable timestamps and utilizes unescaped interface messages. Because the output is not properly sanitized, this flaw enables the injection of malicious scripts, leading to a Cross-Site Scripting (XSS) vulnerability. For exploitation on wikis, the (editinterface) permission is required. Users must update to the latest version as outlined in commit 267e763a0, as there are currently no workarounds for this issue.

Affected Version(s)

WikiDiscover < 267e763a0d7

References

https://github.com/miraheze/WikiDiscover/security/advisor...
x_refsource_CONFIRM
https://github.com/miraheze/WikiDiscover/commit/267e763a0...
x_refsource_MISC
https://issue-tracker.miraheze.org/T11814
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.