CVE-2024-29883 MEDIUM

CVE-2024-29883: CreateWiki's wiki request suppression ignores the suppression settings set by the suppressor

Vendor Miraheze
Product CreateWiki
Weakness CWE-200 · Info exposure
Published March 26, 2024
Last update August 2, 2024

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. Suppression of wiki requests does not work as intended, and always restricts visibility to those with the `(createwiki)` user right regardless of the settings one sets on a given wiki request. This may expose information to users who are not supposed to be able to access it.

Key dates

02Disclosure timeline

March 26, 2024 CVE published
August 2, 2024 Record updated