PT-2024-20752 · Unknown · Wikidiscover
Universal-Omega
·
Published
2024-02-08
·
Updated
2024-02-15
·
CVE-2024-25107
CVSS v3.1
4.9
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
WikiDiscover (affected versions not specified)
Description
The issue arises from the use of the
Language::date function on Special:WikiDiscover, which utilizes unescaped interface messages to translate month and day names. This results in an XSS vulnerability when the unescaped interface message is included in the output. Exploiting this vulnerability on-wiki requires the (editinterface) right.Recommendations
Update the WikiDiscover extension to a version that includes the fix committed in
267e763a0.
As a temporary workaround, consider restricting the (editinterface) right to minimize the risk of exploitation.
Avoid using the Language::date function until the issue is resolved.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wikidiscover