CVE-2024-34701

Name of the Vulnerable Software and Affected Versions CreateWiki (affected versions not specified)

Description The issue allows users to be considered as the requester of a specific wiki request if their local user ID on any wiki in a wiki farm matches the local ID of the requester at the wiki where the wiki request was made. This enables them to take actions allowed to the wiki requester on Special:RequestWikiQueue. The problem has been fixed by disabling access to the REST API and special pages outside of the wiki configured as the "global wiki" in $wgCreateWikiGlobalWiki.

Recommendations As a temporary workaround, consider disabling the special pages outside of one's own global wiki by adapting the changes similar to miraheze/mw-config commit e5664995fbb8644f9a80b450b4326194f20f9ddc to one's own setup. Disable the REST API outside of the global wiki by using $wgCreateWikiDisableRESTAPI and $wgConf in the configuration for one's own wiki farm. At the moment, there is no information about a newer version that contains a fix for this vulnerability.