CVE-2024-29897
4.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Summary
CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. It is possible for users with (delete) or (suppressrevision) on any wiki in the farm to access suppressed wiki requests by going to the request's entry on Special:RequestWikiQueue on the wiki where they have these rights. The same vulnerability was present briefly on the REST API before being quickly corrected in commit 6bc0685. To our knowledge, the vulnerable commits of the REST API are not running in production anywhere. This vulnerability is fixed in 23415c17ffb4832667c06abcf1eadadefd4c8937.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| miraheze | CreateWiki | < 23415c17ffb4832667c06abcf1eadadefd4c8937 | affected |
Weaknesses
- CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq
- https://github.com/miraheze/mw-config/commit/fb3e68bcef459e9cf2a415241b28042a6c9727e8
- https://issue-tracker.miraheze.org/F3093343
- https://issue-tracker.miraheze.org/T11999
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq
- https://github.com/miraheze/mw-config/commit/fb3e68bcef459e9cf2a415241b28042a6c9727e8
- https://issue-tracker.miraheze.org/F3093343
- https://issue-tracker.miraheze.org/T11999
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.