Cross Site Scripting Vulnerability in ManageWiki
CVE-2024-25109

5.4MEDIUM

Key Information:

Vendor

miraheze

Status
ManageWiki
Vendor
CVE Published:
9 February 2024
đź”” Create miraheze Vulnerability Alert

What is CVE-2024-25109?

ManageWiki is a MediaWiki extension allowing users to manage wikis. Special:ManageWiki does not escape escape interface messages on the columns and help keys on the form descriptor. An attacker may exploit this and would have a cross site scripting attack vector. Exploiting this on-wiki requires the (editinterface) right. Users should apply the code changes in commits 886cc6b94, 2ef0f50880, and 6942e8b2c to resolve this vulnerability. There are no known workarounds for this vulnerability.

Affected Version(s)

ManageWiki < 6942e8b2c01dc33c2c41a471f91ef3f6ca726073

References

https://github.com/miraheze/ManageWiki/security/advisorie...
x_refsource_CONFIRM
https://github.com/miraheze/ManageWiki/commit/2ef0f50880d...
x_refsource_MISC
https://github.com/miraheze/ManageWiki/commit/6942e8b2c01...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.