PT-2024-23119 · Mediawiki · Createwiki

Redbluegreenhat

Published

2024-03-28

Updated

2024-03-28

CVE-2024-29898

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions CreateWiki versions prior to the version containing the fix in commit 8f8442ed5299510ea3e58416004b9334134c149c

Description An issue in CreateWiki, a MediaWiki extension, may have exposed suppressed wiki requests to private wikis. This occurred when Special:RequestWikiQueue was added to the read whitelist, potentially allowing users without the read permission to access it.

Recommendations For versions prior to the fix, update to a version that includes the fix in commit 8f8442ed5299510ea3e58416004b9334134c149c to resolve the issue. As a temporary workaround, consider removing Special:RequestWikiQueue from the read whitelist for private wikis until the update is applied.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2024-29898

GHSA-4RCF-3CJ2-46MQ

GHSA-5RCV-CF88-GV8V

Affected Products

Createwiki

PT-2024-23119 · Mediawiki · Createwiki

CVE-2024-29898

Weakness Enumeration

Related Identifiers

Affected Products

References · 7