CVE-2024-25107
Description
WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. On Special:WikiDiscover, the Language::date function is used when making the human-readable timestamp for inclusion on the wiki_creation column. This function uses interface messages to translate the names of months and days. It uses the ->text() output mode, returning unescaped interface messages. Since the output is not escaped later, the unescaped interface message is included on the output, resulting in an XSS vulnerability. Exploiting this on-wiki requires the (editinterface) right. This vulnerability has been addressed in commit 267e763a0. Users are advised to update their installations. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: < 267e763a0d7
Patches
Vulnerability mechanics
References
3- github.com/miraheze/WikiDiscover/commit/267e763a0d7460f001693c42f67717a0fc3fd6bbnvdPatch
- github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455fnvdPatchVendor Advisory
- issue-tracker.miraheze.org/T11814nvdIssue TrackingVendor Advisory
News mentions
0No linked articles in our index yet.