CVE-2024-25109 MEDIUM

CVE-2024-25109: Cross-Site Scripting in the extensions, settings, permissions and namespaces subpages of ManageWiki

Vendor Miraheze
Product ManageWiki
Weakness CWE-79 · XSS
Published February 9, 2024
Last update August 1, 2024

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

ManageWiki is a MediaWiki extension allowing users to manage wikis. Special:ManageWiki does not escape escape interface messages on the `columns` and `help` keys on the form descriptor. An attacker may exploit this and would have a cross site scripting attack vector. Exploiting this on-wiki requires the `(editinterface)` right. Users should apply the code changes in commits `886cc6b94`, `2ef0f50880`, and `6942e8b2c` to resolve this vulnerability. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

February 9, 2024 CVE published
August 1, 2024 Record updated