CVE-2024-47816

Name of the Vulnerable Software and Affected Versions ImportDump (affected versions not specified)

Description The issue concerns the ImportDump mediawiki extension, which is designed to automate user import requests. A user's local actor ID is stored in the database to track who made what requests. However, if a user on another wiki has the same actor ID as someone on the central wiki, they can act as if they are the original wiki requester. This can be exploited to create new comments, edit requests, and view private requests.

Recommendations Update to a version that includes the fix from commit 5c91dfc. If an update is not possible, disable the special page outside of the global wiki, see miraheze/mw-config@e566499 for details.