CVE-2023-45372

Name of the Vulnerable Software and Affected Versions Wikibase extension for MediaWiki versions prior to 1.35.12 Wikibase extension for MediaWiki versions 1.36.x through 1.39.x before 1.39.5 Wikibase extension for MediaWiki versions 1.40.x before 1.40.1

Description The issue is related to the Wikibase extension for MediaWiki, where the ItemMergeInteractor does not have an edit filter running, such as AbuseFilter, during item merging. This could allow a remote attacker to compromise data integrity and confidentiality.

Recommendations For versions prior to 1.35.12, update to version 1.35.12 or later. For versions 1.36.x through 1.39.x, update to version 1.39.5 or later. For versions 1.40.x before 1.40.1, update to version 1.40.1 or later. As a temporary workaround, consider disabling the ItemMergeInteractor function until a patch is available. Restrict access to the ItemMergeInteractor to minimize the risk of exploitation.