Exploit
CVE-2024-47845

Improper Encoding or Escaping of Output (CWE-116)

Published: Oct 5, 2024 / Updated: 46d ago

010
CVSS 6.9EPSS 0.05%Medium
CVE info copied to clipboard

Summary

Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - CSS Extension allows Code Injection. This issue affects Mediawiki - CSS Extension: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.

Impact

This vulnerability could allow an attacker to perform code injection attacks. The CVSS v3.1 base score is 8.2 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. This indicates: 1. Network-based attack vector (AV:N) 2. Low attack complexity (AC:L) 3. No privileges required (PR:N) 4. User interaction is required (UI:R) 5. The scope is changed (S:C) 6. High impact on confidentiality (C:H) 7. Low impact on integrity (I:L) 8. No impact on availability (A:N) The high confidentiality impact suggests that sensitive information could be exposed. The changed scope indicates that the vulnerability could affect resources beyond its security context.

Exploitation

One proof-of-concept exploit is available on wikimedia.org. There is no evidence of proof of exploitation at the moment.

Patch

Patches are available. The vulnerability has been addressed in the following versions: - Mediawiki - CSS Extension version 1.39.9 and later for the 1.39.X branch - Mediawiki - CSS Extension version 1.41.3 and later for the 1.41.X branch - Mediawiki - CSS Extension version 1.42.2 and later for the 1.42.X branch

Mitigation

1. Update the Mediawiki - CSS Extension to the latest patched version corresponding to your current branch (1.39.9, 1.41.3, or 1.42.2). 2. If immediate patching is not possible, consider implementing additional input validation and output encoding mechanisms. 3. Monitor and review any user-supplied content that interacts with the CSS Extension. 4. Implement Content Security Policy (CSP) headers to mitigate the risk of code injection attacks. 5. Regularly audit and update all Mediawiki extensions to ensure they are on the latest secure versions.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

CVE Assignment

NVD published the first details for CVE-2024-47845

Oct 5, 2024 at 1:15 AM
CVSS

A CVSS base score of 6.9 has been assigned.

Oct 5, 2024 at 1:20 AM / nvd
First Article

Feedly found the first article mentioning CVE-2024-47845. See article

Oct 5, 2024 at 1:21 AM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 5, 2024 at 1:21 AM
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.3%)

Oct 5, 2024 at 10:04 AM
CVSS

A CVSS base score of 8.2 has been assigned.

Oct 23, 2024 at 3:05 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 23, 2024 at 5:11 PM
Static CVE Timeline Graph

Affected Systems

Wikimedia/wikimedia-extensions-css
+null more

Exploits

https://phabricator.wikimedia.org/T368594
+null more

Patches

gerrit.wikimedia.org
+null more

Attack Patterns

CAPEC-104: Cross Zone Scripting
+null more

References

⚓ T368594 CVE-2024-47845: Extension:CSS uses CSS sanitizer incorrectly, and is easily bypassed
Author Affiliation Wikimedia Communities Event Timeline Restricted Application added a subscriber: Aklapper . Bawolff merged a task: Restricted Task . Mstyles renamed this task from Extension:CSS uses CSS sanitizer incorrectly, and is easily bypassed to CVE-2024-47845: Extension:CSS uses CSS sanitizer incorrectly, and is easily bypassed . Mstyles closed this task as Resolved .

News

CVE-2024-47845 Exploit
CVE Id : CVE-2024-47845 Published Date: 2024-10-23T15:00:00+00:00 Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - CSS Extension allows Code Injection.This issue affects Mediawiki - CSS Extension: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2. inTheWild added a link to an exploit: https://phabricator.wikimedia.org/T368594
NA - CVE-2024-47845 - Improper Encoding or Escaping of Output...
Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - CSS Extension allows Code Injection.This issue affects Mediawiki - CSS Extension: from 1.39.X before...
CVE-2024-47845 | Wikimedia CSS Extension up to 1.39.8/1.41.2/1.42.1 on Mediawiki escape output
A vulnerability has been found in Wikimedia CSS Extension up to 1.39.8/1.41.2/1.42.1 on Mediawiki and classified as critical . This vulnerability affects unknown code. The manipulation leads to escaping of output. This vulnerability was named CVE-2024-47845 . The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.
CVE-2024-47845 - Wikimedia Foundation Mediawiki CSS Extension Cross-Site Scripting (XSS)
CVE ID : CVE-2024-47845 Published : Oct. 5, 2024, 1:15 a.m. 20 minutes ago Description : Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - CSS Extension allows Code Injection.This issue affects Mediawiki - CSS Extension: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2. Severity: 0.0
CVE-2024-47845
Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - CSS Extension allows Code Injection.This issue affects Mediawiki - CSS Extension: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before...
See 3 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Changed
Confidentiality:High
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI