PT-2024-32826 · Mediawiki · Incidentreporting

Universal-Omega

Published

2024-10-09

Updated

2024-10-10

CVE-2024-47815

CVSS v3.1

6.0

Medium

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L

Name of the Vulnerable Software and Affected Versions IncidentReporting versions prior to the version containing commit 43896a4

Description The IncidentReporting MediaWiki extension has multiple Cross-site Scripting issues that require elevated permissions to exploit. These issues affect users with the editincidents right, those who can edit interface messages (typically administrators and interface admins), and those who can edit LocalSettings.php.

Recommendations For versions prior to the version containing commit 43896a4, upgrade to a version that includes commit 43896a4 to resolve the issue. As a temporary workaround for users unable to upgrade, prevent access to the Special:IncidentReports page.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-80CWE-79

Related Identifiers

CVE-2024-47815

GHSA-9P36-HRMR-98R9

Affected Products

Incidentreporting

PT-2024-32826 · Mediawiki · Incidentreporting

CVE-2024-47815

Weakness Enumeration

Related Identifiers

Affected Products

References · 9