CVE-2025-54865
7.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Summary
Tilesheets MediaWiki Extension adds a table lookup parser function for an item and returns the requested image. A missing backtick in a query executed by the Tilesheets extension allows users to insert and potentially execute malicious SQL code. This issue has not been fixed.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| FTB-Gamepedia | Tilesheets | <= 5.0.3 | affected |
Weaknesses
- CWE-89: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
Additional References
References
- https://github.com/FTB-Gamepedia/Tilesheets/security/advisories/GHSA-hqfr-7cm9-4h87
- https://github.com/FTB-Gamepedia/Tilesheets/blob/8debbf8ee6ddb02bf9c756bab5c085b007d72c50/special/SheetManager.php#L255
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.