Code Injection Vulnerability in Mediawiki - CSS Extension
CVE-2024-47845

8.2HIGH

Key Information:

Vendor: The Wikimedia Foundation
Status: Mediawiki - Css Extension
Vendor: CVE Published:; 5 October 2024

Summary

A vulnerability has been identified in the Mediawiki - CSS Extension, which arises from improper encoding or escaping of output. This security flaw could allow an attacker to inject malicious code into web applications utilizing the affected extension. Versions of the Mediawiki CSS Extension prior to 1.39.9, 1.41.3, and 1.42.2 are vulnerable, posing significant risks to application integrity and overall user security. It is crucial for organizations using these versions to apply the necessary updates and safeguards to mitigate potential exploitation.

Affected Version(s)

Mediawiki - CSS Extension 1.39.x < 1.39.9

Mediawiki - CSS Extension 1.41.x < 1.41.3

Mediawiki - CSS Extension 1.42.x < 1.42.2

References

https://phabricator.wikimedia.org/T368628

https://phabricator.wikimedia.org/T368594

https://gerrit.wikimedia.org/r/q/I6f38f4a8fc1dcd690ab27b8...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 5, 2024
Vulnerability Reserved
Oct 3, 2024

Credit

BlankEclair

Bawolff