CVE-2024-47816
Oct. 10, 2024, 12:51 p.m.
6.4
Medium
Description
ImportDump is a mediawiki extension designed to automate user import requests. A user's local actor ID is stored in the database to tell who made what requests. Therefore, if a user on another wiki happens to have the same actor ID as someone on the central wiki, the user on the other wiki can act as if they're the original wiki requester. This can be abused to create new comments, edit the request, and view the request if it's marked private. This issue has been addressed in commit `5c91dfc` and all users are advised to update. Users unable to update may disable the special page outside of their global wiki. See `miraheze/mw-config@e566499` for details on that.
Product(s) Impacted
| Product | Versions |
|---|---|
| MediaWiki ImportDump extension |
|
Weaknesses
CWE-282
Improper Ownership Management
The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.
References
Tags
CVSS Score
CVSS Data
- Attack Vector: NETWORK
- Attack Complexity: HIGH
- Privileges Required: LOW
- Scope: UNCHANGED
- Confidentiality Impact: LOW
- Integrity Impact: HIGH
- Availability Impact: LOW
View Vector String
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L
Date
- Published: Oct. 9, 2024, 7:15 p.m.
- Last Modified: Oct. 10, 2024, 12:51 p.m.
Status : Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
security-advisories@github.com
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.