PT-2023-8947 · Mediawiki+2 · Wikibase Extension For Mediawiki+2
Lucas_Werkmeister_Wmde
·
Publicado
2023-10-08
·
Atualizado
2024-09-19
·
CVE-2023-45372
CVSS v3.1
5.3
Média
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Wikibase extension for MediaWiki versions prior to 1.35.12
Wikibase extension for MediaWiki versions 1.36.x through 1.39.x before 1.39.5
Wikibase extension for MediaWiki versions 1.40.x before 1.40.1
Description
The issue is related to the Wikibase extension for MediaWiki, where the
ItemMergeInteractor does not have an edit filter running, such as AbuseFilter, during item merging. This could allow a remote attacker to compromise data integrity and confidentiality.Recommendations
For versions prior to 1.35.12, update to version 1.35.12 or later.
For versions 1.36.x through 1.39.x, update to version 1.39.5 or later.
For versions 1.40.x before 1.40.1, update to version 1.40.1 or later.
As a temporary workaround, consider disabling the
ItemMergeInteractor function until a patch is available.
Restrict access to the ItemMergeInteractor to minimize the risk of exploitation.Correção
RCE
Protection Mechanism Failure
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Alt Linux
Red Os
Wikibase Extension For Mediawiki