Suppressed Wiki Requests Vulnerability in Miraheze's MediaWiki Extension
CVE-2024-29897

4.9MEDIUM

Key Information:

Vendor

Miraheze

Status
Createwiki
Vendor
CVE Published:
28 March 2024
đź”” Create Miraheze Vulnerability Alert

What is CVE-2024-29897?

CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. It is possible for users with (delete) or (suppressrevision) on any wiki in the farm to access suppressed wiki requests by going to the request's entry on Special:RequestWikiQueue on the wiki where they have these rights. The same vulnerability was present briefly on the REST API before being quickly corrected in commit 6bc0685. To our knowledge, the vulnerable commits of the REST API are not running in production anywhere. This vulnerability is fixed in 23415c17ffb4832667c06abcf1eadadefd4c8937.

Affected Version(s)

CreateWiki < 23415c17ffb4832667c06abcf1eadadefd4c8937

References

https://github.com/miraheze/CreateWiki/security/advisorie...
x_refsource_CONFIRM
https://github.com/miraheze/mw-config/commit/fb3e68bcef45...
x_refsource_MISC
https://issue-tracker.miraheze.org/F3093343
x_refsource_MISC

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.