CVE-2024-47781

Name of the Vulnerable Software and Affected Versions CreateWiki (affected versions not specified)

Description The issue concerns the CreateWiki extension used for requesting and creating wikis, where the name of requested wikis is not properly escaped on the Special:RequestWikiQueue page. This allows a user to insert arbitrary HTML, which can be displayed in the request wiki queue. If a wiki creator encounters the malicious payload, their user session can be exploited to retrieve deleted wiki requests containing private information. Similarly, this can be abused to view sensitive information by those with the ability to suppress requests.

Recommendations To resolve the issue, apply the patch with commit 693a220. As a temporary workaround, consider disabling Javascript and/or preventing access to the vulnerable page Special:RequestWikiQueue until the patch is applied.