Today > | 5 Medium | 2 Low vulnerabilities   -   You can now download lists of IOCs here!

CVE-2024-47816

Oct. 10, 2024, 12:51 p.m.

CVSS Score

6.4 / 10

Product(s) Impacted

MediaWiki ImportDump extension

Description

ImportDump is a mediawiki extension designed to automate user import requests. A user's local actor ID is stored in the database to tell who made what requests. Therefore, if a user on another wiki happens to have the same actor ID as someone on the central wiki, the user on the other wiki can act as if they're the original wiki requester. This can be abused to create new comments, edit the request, and view the request if it's marked private. This issue has been addressed in commit `5c91dfc` and all users are advised to update. Users unable to update may disable the special page outside of their global wiki. See `miraheze/mw-config@e566499` for details on that.

Weaknesses

CWE-282
Improper Ownership Management

The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.

CWE ID: 282

Date

Published: Oct. 9, 2024, 7:15 p.m.

Last Modified: Oct. 10, 2024, 12:51 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

CVSS Data

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

Base Score
6.4
Exploitability Score
1.6
Impact Score
4.7
Base Severity
MEDIUM
CVSS Vector String

The CVSS vector string provides an in-depth view of the vulnerability metrics.

View Vector String

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L

References

https://github.com/ security-advisories@github.com

https://github.com/ security-advisories@github.com

https://github.com/ security-advisories@github.com

https://issue-tracker.miraheze.org/ security-advisories@github.com