Code Injection Vulnerability in Mediawiki - CSS Extension
CVE-2024-47845

8.2HIGH

Key Information:

Vendor: The Wikimedia Foundation
Status: Mediawiki - Css Extension
Vendor: CVE Published:; 5 October 2024

🔔 Create The Wikimedia Foundation Vulnerability Alert

What is CVE-2024-47845?

A vulnerability has been identified in the Mediawiki - CSS Extension, which arises from improper encoding or escaping of output. This security flaw could allow an attacker to inject malicious code into web applications utilizing the affected extension. Versions of the Mediawiki CSS Extension prior to 1.39.9, 1.41.3, and 1.42.2 are vulnerable, posing significant risks to application integrity and overall user security. It is crucial for organizations using these versions to apply the necessary updates and safeguards to mitigate potential exploitation.

Affected Version(s)

Mediawiki - CSS Extension 1.39.x < 1.39.9

Mediawiki - CSS Extension 1.41.x < 1.41.3

Mediawiki - CSS Extension 1.42.x < 1.42.2

References

https://phabricator.wikimedia.org/T368628

https://phabricator.wikimedia.org/T368594

https://gerrit.wikimedia.org/r/q/I6f38f4a8fc1dcd690ab27b8...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 5, 2024
Vulnerability Reserved
Oct 3, 2024

Credit

BlankEclair

Bawolff

CVE-2024-47845 Data

JSON