CVE-2022-29903

CVSS v2.0

4.3

Medium

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions MediaWiki Private Domains extension versions through 1.37.2

Description The issue allows for Cross-Site Request Forgery (CSRF) attacks, enabling an attacker to edit pages that store the extension's configuration. This can be achieved by triggering a POST request to the "Special:PrivateDomains" endpoint.

Recommendations For MediaWiki Private Domains extension versions through 1.37.2, update to a version that includes the fix, specifically after the commit 1ad65d4c1c199b375ea80988d99ab51ae068f766. As a temporary workaround, consider restricting access to the "Special:PrivateDomains" endpoint to minimize the risk of exploitation.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

ALT-PU-2022-3361

ALT-PU-2024-11168

ALT-PU-2024-1228

BIT-MEDIAWIKI-2022-29903

CVE-2022-29903

Affected Products

Alt Linux

Mediawiki Private Domains Extension

CVE-2022-29903

Weakness Enumeration

Related Identifiers

Affected Products

References · 6