CVE-2024-47845

Published: Oct 5, 2024Modified: Oct 23, 2024

6.9

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: c4f26cc8-17ff-4c99-b5e2-38fc1793eacc (Secondary)

Description

Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - CSS Extension allows Code Injection.This issue affects Mediawiki - CSS Extension: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.

Affected (3)

Products: Wikimedia: Wikimedia Extensions Css

Wikimedia

1 product

Wikimedia Extensions Css

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Wikimedia Wikimedia Extensions Css	From 1.39.0 to 1.39.9
Wikimedia Wikimedia Extensions Css	From 1.41.0 to 1.41.3
Wikimedia Wikimedia Extensions Css	From 1.42.0 to 1.42.2

Related CWEs

CWE-116

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References (3)

https://gerrit.wikimedia.org/r/q/I6f38f4a8fc1dcd690ab27b8f18ce6ca903bacc53

Source: c4f26cc8-17ff-4c99-b5e2-38fc1793eacc

Patch

https://phabricator.wikimedia.org/T368594

Source: c4f26cc8-17ff-4c99-b5e2-38fc1793eacc

ExploitIssue TrackingVendor Advisory

https://phabricator.wikimedia.org/T368628

Source: c4f26cc8-17ff-4c99-b5e2-38fc1793eacc

Issue TrackingVendor Advisory

Timeline

No history available yet.