CVE-2024-29897 MEDIUM

CVE-2024-29897: CreateWiki Leak of suppressed wiki requests outside of `CreateWikiGlobalWiki`

Vendor Miraheze
Product CreateWiki
Weakness CWE-200 · Info exposure
Published March 28, 2024
Last update September 3, 2024

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. It is possible for users with (delete) or (suppressrevision) on any wiki in the farm to access suppressed wiki requests by going to the request's entry on Special:RequestWikiQueue on the wiki where they have these rights. The same vulnerability was present briefly on the REST API before being quickly corrected in commit `6bc0685`. To our knowledge, the vulnerable commits of the REST API are not running in production anywhere. This vulnerability is fixed in 23415c17ffb4832667c06abcf1eadadefd4c8937.

Key dates

02Disclosure timeline

March 28, 2024 CVE published
September 3, 2024 Record updated