Vulnerabilites related to The Wikimedia Foundation - Mediawiki - Cargo
cve-2024-47847
Vulnerability from cvelistv5
Published
2024-10-05 00:47
Modified
2024-10-07 17:18
Severity ?
EPSS score ?
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Wikimedia Foundation | Mediawiki - Cargo |
Version: 3.6.x ≤ |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:wikimedia:mediawiki-cargo:*:*:*:*:*:*:*:*", ], defaultStatus: "unaffected", product: "mediawiki-cargo", vendor: "wikimedia", versions: [ { lessThan: "3.6.1", status: "affected", version: "3.6.0", versionType: "semver", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-47847", options: [ { Exploitation: "poc", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-07T17:17:29.194570Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-07T17:18:43.941Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Mediawiki - Cargo", vendor: "The Wikimedia Foundation", versions: [ { lessThan: "3.6.1", status: "affected", version: "3.6.x", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Yaron_Koren", }, { lang: "en", type: "finder", value: "BlankEclair", }, ], datePublic: "2024-08-21T00:46:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross-Site Scripting (XSS).<p>This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1.</p>", }, ], value: "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1.", }, ], impacts: [ { capecId: "CAPEC-63", descriptions: [ { lang: "en", value: "CAPEC-63 Cross-Site Scripting (XSS)", }, ], }, ], metrics: [ { cvssV4_0: { Automatable: "NOT_DEFINED", Recovery: "NOT_DEFINED", Safety: "NOT_DEFINED", attackComplexity: "LOW", attackRequirements: "NONE", attackVector: "NETWORK", baseScore: 6.9, baseSeverity: "MEDIUM", privilegesRequired: "NONE", providerUrgency: "NOT_DEFINED", subAvailabilityImpact: "NONE", subConfidentialityImpact: "NONE", subIntegrityImpact: "NONE", userInteraction: "NONE", valueDensity: "NOT_DEFINED", vectorString: "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", version: "4.0", vulnAvailabilityImpact: "NONE", vulnConfidentialityImpact: "LOW", vulnIntegrityImpact: "LOW", vulnerabilityResponseEffort: "NOT_DEFINED", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-10-05T00:47:24.147Z", orgId: "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", shortName: "wikimedia-foundation", }, references: [ { url: "https://phabricator.wikimedia.org/T372211", }, { url: "https://phabricator.wikimedia.org/T368628", }, { url: "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1063804", }, { url: "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1063806", }, { url: "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1063827", }, { url: "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1063831", }, ], source: { discovery: "UNKNOWN", }, title: "Various XSSes found in Cargo", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", assignerShortName: "wikimedia-foundation", cveId: "CVE-2024-47847", datePublished: "2024-10-05T00:47:24.147Z", dateReserved: "2024-10-03T23:44:16.835Z", dateUpdated: "2024-10-07T17:18:43.941Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47849
Vulnerability from cvelistv5
Published
2024-10-05 00:29
Modified
2024-10-07 17:36
Severity ?
EPSS score ?
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows SQL Injection.This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Wikimedia Foundation | Mediawiki - Cargo |
Version: 3.6.x ≤ |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:wikimedia:mediawiki-cargo:*:*:*:*:*:*:*:*", ], defaultStatus: "unaffected", product: "mediawiki-cargo", vendor: "wikimedia", versions: [ { lessThan: "3.6.1", status: "affected", version: "3.6.0", versionType: "semver", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-47849", options: [ { Exploitation: "poc", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-07T17:35:58.700370Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-07T17:36:40.035Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Mediawiki - Cargo", vendor: "The Wikimedia Foundation", versions: [ { lessThan: "3.6.1", status: "affected", version: "3.6.x", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Yaron_Koren", }, { lang: "en", type: "finder", value: "BlankEclair", }, ], datePublic: "2024-07-23T00:25:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows SQL Injection.<p>This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1.</p>", }, ], value: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows SQL Injection.This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1.", }, ], impacts: [ { capecId: "CAPEC-66", descriptions: [ { lang: "en", value: "CAPEC-66 SQL Injection", }, ], }, ], metrics: [ { cvssV4_0: { Automatable: "NOT_DEFINED", Recovery: "NOT_DEFINED", Safety: "NOT_DEFINED", attackComplexity: "LOW", attackRequirements: "NONE", attackVector: "NETWORK", baseScore: 8.8, baseSeverity: "HIGH", privilegesRequired: "NONE", providerUrgency: "NOT_DEFINED", subAvailabilityImpact: "NONE", subConfidentialityImpact: "LOW", subIntegrityImpact: "LOW", userInteraction: "NONE", valueDensity: "NOT_DEFINED", vectorString: "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N", version: "4.0", vulnAvailabilityImpact: "NONE", vulnConfidentialityImpact: "HIGH", vulnIntegrityImpact: "LOW", vulnerabilityResponseEffort: "NOT_DEFINED", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-89", description: "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-10-05T00:34:12.792Z", orgId: "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", shortName: "wikimedia-foundation", }, references: [ { url: "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1055963", }, { url: "https://phabricator.wikimedia.org/T370632", }, { url: "https://phabricator.wikimedia.org/T368628", }, ], source: { discovery: "UNKNOWN", }, title: "Backticks can allow the usage of not-allowed SQL functions", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", assignerShortName: "wikimedia-foundation", cveId: "CVE-2024-47849", datePublished: "2024-10-05T00:29:44.438Z", dateReserved: "2024-10-03T23:44:16.836Z", dateUpdated: "2024-10-07T17:36:40.035Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47846
Vulnerability from cvelistv5
Published
2024-10-05 00:39
Modified
2024-10-07 17:35
Severity ?
EPSS score ?
Summary
Cross-Site Request Forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross Site Request Forgery.This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Wikimedia Foundation | Mediawiki - Cargo |
Version: 3.6.x ≤ |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:wikimedia:mediawiki-cargo:*:*:*:*:*:*:*:*", ], defaultStatus: "unaffected", product: "mediawiki-cargo", vendor: "wikimedia", versions: [ { lessThan: "3.6.1", status: "affected", version: "3.6.0", versionType: "semver", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-47846", options: [ { Exploitation: "poc", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-07T17:34:35.933710Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-07T17:35:25.194Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Mediawiki - Cargo", vendor: "The Wikimedia Foundation", versions: [ { lessThan: "3.6.1", status: "affected", version: "3.6.x", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "BlankEclair", }, { lang: "en", type: "finder", value: "Yaron_Koren", }, ], datePublic: "2024-10-02T00:39:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Cross-Site Request Forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross Site Request Forgery.<p>This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1.</p>", }, ], value: "Cross-Site Request Forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross Site Request Forgery.This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1.", }, ], impacts: [ { capecId: "CAPEC-62", descriptions: [ { lang: "en", value: "CAPEC-62 Cross Site Request Forgery", }, ], }, ], metrics: [ { cvssV4_0: { Automatable: "NOT_DEFINED", Recovery: "NOT_DEFINED", Safety: "NOT_DEFINED", attackComplexity: "LOW", attackRequirements: "NONE", attackVector: "NETWORK", baseScore: 6.9, baseSeverity: "MEDIUM", privilegesRequired: "NONE", providerUrgency: "NOT_DEFINED", subAvailabilityImpact: "NONE", subConfidentialityImpact: "NONE", subIntegrityImpact: "NONE", userInteraction: "NONE", valueDensity: "NOT_DEFINED", vectorString: "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", version: "4.0", vulnAvailabilityImpact: "NONE", vulnConfidentialityImpact: "LOW", vulnIntegrityImpact: "LOW", vulnerabilityResponseEffort: "NOT_DEFINED", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-352", description: "CWE-352 Cross-Site Request Forgery (CSRF)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-10-05T00:39:58.084Z", orgId: "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", shortName: "wikimedia-foundation", }, references: [ { url: "https://phabricator.wikimedia.org/T372209", }, { url: "https://phabricator.wikimedia.org/T368628", }, { url: "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1062723", }, ], source: { discovery: "UNKNOWN", }, title: "Special:DeleteCargoTable and Special:SwitchCargoTable have no CSRF protection", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", assignerShortName: "wikimedia-foundation", cveId: "CVE-2024-47846", datePublished: "2024-10-05T00:39:58.084Z", dateReserved: "2024-10-03T23:44:16.835Z", dateUpdated: "2024-10-07T17:35:25.194Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }