Vulnerabilites related to miraheze - managewiki
CVE-2024-25109 (GCVE-0-2024-25109)
Vulnerability from cvelistv5
Published
2024-02-09 22:25
Modified
2024-08-01 23:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
ManageWiki is a MediaWiki extension allowing users to manage wikis. Special:ManageWiki does not escape escape interface messages on the `columns` and `help` keys on the form descriptor. An attacker may exploit this and would have a cross site scripting attack vector. Exploiting this on-wiki requires the `(editinterface)` right. Users should apply the code changes in commits `886cc6b94`, `2ef0f50880`, and `6942e8b2c` to resolve this vulnerability. There are no known workarounds for this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/miraheze/ManageWiki/security/advisories/GHSA-4jr2-jhfm-2r84 | x_refsource_CONFIRM | |
| https://github.com/miraheze/ManageWiki/commit/2ef0f50880d7695ca2874dc8dd515b2b9bbb02e5 | x_refsource_MISC | |
| https://github.com/miraheze/ManageWiki/commit/6942e8b2c01dc33c2c41a471f91ef3f6ca726073 | x_refsource_MISC | |
| https://github.com/miraheze/ManageWiki/commit/886cc6b94587f1c7387caa26ca9fe612e01836a0 | x_refsource_MISC | |
| https://issue-tracker.miraheze.org/T11812 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miraheze | ManageWiki |
Version: < 6942e8b2c01dc33c2c41a471f91ef3f6ca726073 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25109",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-12T17:18:51.399865Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:35:29.515Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:36:21.701Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/miraheze/ManageWiki/security/advisories/GHSA-4jr2-jhfm-2r84",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/miraheze/ManageWiki/security/advisories/GHSA-4jr2-jhfm-2r84"
},
{
"name": "https://github.com/miraheze/ManageWiki/commit/2ef0f50880d7695ca2874dc8dd515b2b9bbb02e5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/miraheze/ManageWiki/commit/2ef0f50880d7695ca2874dc8dd515b2b9bbb02e5"
},
{
"name": "https://github.com/miraheze/ManageWiki/commit/6942e8b2c01dc33c2c41a471f91ef3f6ca726073",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/miraheze/ManageWiki/commit/6942e8b2c01dc33c2c41a471f91ef3f6ca726073"
},
{
"name": "https://github.com/miraheze/ManageWiki/commit/886cc6b94587f1c7387caa26ca9fe612e01836a0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/miraheze/ManageWiki/commit/886cc6b94587f1c7387caa26ca9fe612e01836a0"
},
{
"name": "https://issue-tracker.miraheze.org/T11812",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issue-tracker.miraheze.org/T11812"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ManageWiki",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "\u003c 6942e8b2c01dc33c2c41a471f91ef3f6ca726073"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ManageWiki is a MediaWiki extension allowing users to manage wikis. Special:ManageWiki does not escape escape interface messages on the `columns` and `help` keys on the form descriptor. An attacker may exploit this and would have a cross site scripting attack vector. Exploiting this on-wiki requires the `(editinterface)` right. Users should apply the code changes in commits `886cc6b94`, `2ef0f50880`, and `6942e8b2c` to resolve this vulnerability. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-09T22:25:48.347Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/miraheze/ManageWiki/security/advisories/GHSA-4jr2-jhfm-2r84",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/ManageWiki/security/advisories/GHSA-4jr2-jhfm-2r84"
},
{
"name": "https://github.com/miraheze/ManageWiki/commit/2ef0f50880d7695ca2874dc8dd515b2b9bbb02e5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/ManageWiki/commit/2ef0f50880d7695ca2874dc8dd515b2b9bbb02e5"
},
{
"name": "https://github.com/miraheze/ManageWiki/commit/6942e8b2c01dc33c2c41a471f91ef3f6ca726073",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/ManageWiki/commit/6942e8b2c01dc33c2c41a471f91ef3f6ca726073"
},
{
"name": "https://github.com/miraheze/ManageWiki/commit/886cc6b94587f1c7387caa26ca9fe612e01836a0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/ManageWiki/commit/886cc6b94587f1c7387caa26ca9fe612e01836a0"
},
{
"name": "https://issue-tracker.miraheze.org/T11812",
"tags": [
"x_refsource_MISC"
],
"url": "https://issue-tracker.miraheze.org/T11812"
}
],
"source": {
"advisory": "GHSA-4jr2-jhfm-2r84",
"discovery": "UNKNOWN"
},
"title": "Cross-Site Scripting in the extensions, settings, permissions and namespaces subpages of ManageWiki"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-25109",
"datePublished": "2024-02-09T22:25:48.347Z",
"dateReserved": "2024-02-05T14:14:46.378Z",
"dateUpdated": "2024-08-01T23:36:21.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32964 (GCVE-0-2025-32964)
Vulnerability from cvelistv5
Published
2025-04-22 17:15
Modified
2025-04-22 17:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 00bebea, when enabling a conflicting extension, a restricted extension would be automatically disabled even if the user did not hold the ManageWiki-restricted right. This issue has been patched in commit 00bebea. A workaround involves ensuring that any extensions requiring specific permissions in `$wgManageWikiExtensions` also require the same permissions for managing any conflicting extensions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/miraheze/ManageWiki/security/advisories/GHSA-ccrf-x5rp-gppr | x_refsource_CONFIRM | |
| https://github.com/miraheze/ManageWiki/commit/00bebea43a3e3ff0157b5f04df17c1d1e88a9acd | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miraheze | ManageWiki |
Version: < 00bebea |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32964",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T17:35:26.566312Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:35:37.926Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ManageWiki",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "\u003c 00bebea"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 00bebea, when enabling a conflicting extension, a restricted extension would be automatically disabled even if the user did not hold the ManageWiki-restricted right. This issue has been patched in commit 00bebea. A workaround involves ensuring that any extensions requiring specific permissions in `$wgManageWikiExtensions` also require the same permissions for managing any conflicting extensions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:15:03.200Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/miraheze/ManageWiki/security/advisories/GHSA-ccrf-x5rp-gppr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/ManageWiki/security/advisories/GHSA-ccrf-x5rp-gppr"
},
{
"name": "https://github.com/miraheze/ManageWiki/commit/00bebea43a3e3ff0157b5f04df17c1d1e88a9acd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/ManageWiki/commit/00bebea43a3e3ff0157b5f04df17c1d1e88a9acd"
}
],
"source": {
"advisory": "GHSA-ccrf-x5rp-gppr",
"discovery": "UNKNOWN"
},
"title": "ManageWiki vulnerable to permission bypass when disabling extensions requiring certain permissions in Special:ManageWiki/extensions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32964",
"datePublished": "2025-04-22T17:15:03.200Z",
"dateReserved": "2025-04-14T21:47:11.453Z",
"dateUpdated": "2025-04-22T17:35:37.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-43861 (GCVE-0-2025-43861)
Vulnerability from cvelistv5
Published
2025-04-24 20:49
Modified
2025-04-25 19:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 2f177dc, ManageWiki is vulnerable to reflected or stored XSS in the review dialog. A logged-in attacker must change a form field to include a malicious payload. If that same user then opens the "Review Changes" dialog, the payload will be rendered and executed in the context of their own session. This issue has been patched in commit 2f177dc.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/miraheze/ManageWiki/security/advisories/GHSA-859x-46h8-vcrv | x_refsource_CONFIRM | |
| https://github.com/miraheze/ManageWiki/commit/2f177dc83b28b727613215b835d4036cb179e4ab | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miraheze | ManageWiki |
Version: < 2f177dc |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-43861",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-25T19:31:56.539838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-25T19:32:14.066Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ManageWiki",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "\u003c 2f177dc"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 2f177dc, ManageWiki is vulnerable to reflected or stored XSS in the review dialog. A logged-in attacker must change a form field to include a malicious payload. If that same user then opens the \"Review Changes\" dialog, the payload will be rendered and executed in the context of their own session. This issue has been patched in commit 2f177dc."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T20:49:57.692Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/miraheze/ManageWiki/security/advisories/GHSA-859x-46h8-vcrv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/ManageWiki/security/advisories/GHSA-859x-46h8-vcrv"
},
{
"name": "https://github.com/miraheze/ManageWiki/commit/2f177dc83b28b727613215b835d4036cb179e4ab",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/ManageWiki/commit/2f177dc83b28b727613215b835d4036cb179e4ab"
}
],
"source": {
"advisory": "GHSA-859x-46h8-vcrv",
"discovery": "UNKNOWN"
},
"title": "ManageWiki Vulnerable to Self-XSS in review dialog via unsanitized field reflection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-43861",
"datePublished": "2025-04-24T20:49:57.692Z",
"dateReserved": "2025-04-17T20:07:08.556Z",
"dateUpdated": "2025-04-25T19:32:14.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32956 (GCVE-0-2025-32956)
Vulnerability from cvelistv5
Published
2025-04-21 20:45
Modified
2025-05-12 15:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
ManageWiki is a MediaWiki extension allowing users to manage wikis. Versions before commit f504ed8, are vulnerable to SQL injection when renaming a namespace in Special:ManageWiki/namespaces when using a page prefix (namespace name, which is the current namespace you are renaming) with an injection payload. This issue has been patched in commit f504ed8. A workaround for this vulnerability involves setting `$wgManageWiki['namespaces'] = false;`.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/miraheze/ManageWiki/security/advisories/GHSA-gg42-cv66-f5x7 | x_refsource_CONFIRM | |
| https://github.com/miraheze/ManageWiki/commit/f504ed8eeb59b57ebb90f93cd44f23da4c5bc4c9 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miraheze | ManageWiki |
Version: < f504ed8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32956",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T13:37:16.343745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T13:37:53.320Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-05-12T15:40:28.138Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-32956-detect-mediawiki-vulnerability"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-32956-mitigate-mediawiki-vulnerability"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"product": "ManageWiki",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "\u003c f504ed8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ManageWiki is a MediaWiki extension allowing users to manage wikis. Versions before commit f504ed8, are vulnerable to SQL injection when renaming a namespace in Special:ManageWiki/namespaces when using a page prefix (namespace name, which is the current namespace you are renaming) with an injection payload. This issue has been patched in commit f504ed8. A workaround for this vulnerability involves setting `$wgManageWiki[\u0027namespaces\u0027] = false;`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T20:45:49.523Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/miraheze/ManageWiki/security/advisories/GHSA-gg42-cv66-f5x7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/ManageWiki/security/advisories/GHSA-gg42-cv66-f5x7"
},
{
"name": "https://github.com/miraheze/ManageWiki/commit/f504ed8eeb59b57ebb90f93cd44f23da4c5bc4c9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/ManageWiki/commit/f504ed8eeb59b57ebb90f93cd44f23da4c5bc4c9"
}
],
"source": {
"advisory": "GHSA-gg42-cv66-f5x7",
"discovery": "UNKNOWN"
},
"title": "ManageWiki has SQL injection vulnerability in NamespaceMigrationJob"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32956",
"datePublished": "2025-04-21T20:45:49.523Z",
"dateReserved": "2025-04-14T21:47:11.452Z",
"dateUpdated": "2025-05-12T15:40:28.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29483 (GCVE-0-2021-29483)
Vulnerability from cvelistv5
Published
2021-04-28 21:25
Modified
2024-08-03 22:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - {"":"Exposure of Sensitive Information to an Unauthorized Actor"}
Summary
ManageWiki is an extension to the MediaWiki project. The 'wikiconfig' API leaked the value of private configuration variables set through the ManageWiki variable to all users. This has been patched by https://github.com/miraheze/ManageWiki/compare/99f3b2c8af18...befb83c66f5b.patch. If you are unable to patch set `$wgAPIListModules['wikiconfig'] = 'ApiQueryDisabled';` or remove private config as a workaround.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/miraheze/ManageWiki/security/advisories/GHSA-jmc9-rv2f-g8vv | x_refsource_CONFIRM | |
| https://github.com/miraheze/ManageWiki/commit/befb83c66f5b643e174897ea41a8a46679b26304 | x_refsource_MISC | |
| https://phabricator.miraheze.org/T7213 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miraheze | ManageWiki |
Version: < befb83c66f5b643e174897ea41a8a46679b26304 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:11:05.326Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/miraheze/ManageWiki/security/advisories/GHSA-jmc9-rv2f-g8vv"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/miraheze/ManageWiki/commit/befb83c66f5b643e174897ea41a8a46679b26304"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://phabricator.miraheze.org/T7213"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ManageWiki",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "\u003c befb83c66f5b643e174897ea41a8a46679b26304"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ManageWiki is an extension to the MediaWiki project. The \u0027wikiconfig\u0027 API leaked the value of private configuration variables set through the ManageWiki variable to all users. This has been patched by https://github.com/miraheze/ManageWiki/compare/99f3b2c8af18...befb83c66f5b.patch. If you are unable to patch set `$wgAPIListModules[\u0027wikiconfig\u0027] = \u0027ApiQueryDisabled\u0027;` or remove private config as a workaround."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "{\"CWE-200\":\"Exposure of Sensitive Information to an Unauthorized Actor\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-28T21:25:13",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/ManageWiki/security/advisories/GHSA-jmc9-rv2f-g8vv"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miraheze/ManageWiki/commit/befb83c66f5b643e174897ea41a8a46679b26304"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://phabricator.miraheze.org/T7213"
}
],
"source": {
"advisory": "GHSA-jmc9-rv2f-g8vv",
"discovery": "UNKNOWN"
},
"title": "wikiconfig API leaked private config variables set through ManageWiki",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-29483",
"STATE": "PUBLIC",
"TITLE": "wikiconfig API leaked private config variables set through ManageWiki"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ManageWiki",
"version": {
"version_data": [
{
"version_value": "\u003c befb83c66f5b643e174897ea41a8a46679b26304"
}
]
}
}
]
},
"vendor_name": "miraheze"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ManageWiki is an extension to the MediaWiki project. The \u0027wikiconfig\u0027 API leaked the value of private configuration variables set through the ManageWiki variable to all users. This has been patched by https://github.com/miraheze/ManageWiki/compare/99f3b2c8af18...befb83c66f5b.patch. If you are unable to patch set `$wgAPIListModules[\u0027wikiconfig\u0027] = \u0027ApiQueryDisabled\u0027;` or remove private config as a workaround."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-200\":\"Exposure of Sensitive Information to an Unauthorized Actor\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/miraheze/ManageWiki/security/advisories/GHSA-jmc9-rv2f-g8vv",
"refsource": "CONFIRM",
"url": "https://github.com/miraheze/ManageWiki/security/advisories/GHSA-jmc9-rv2f-g8vv"
},
{
"name": "https://github.com/miraheze/ManageWiki/commit/befb83c66f5b643e174897ea41a8a46679b26304",
"refsource": "MISC",
"url": "https://github.com/miraheze/ManageWiki/commit/befb83c66f5b643e174897ea41a8a46679b26304"
},
{
"name": "https://phabricator.miraheze.org/T7213",
"refsource": "MISC",
"url": "https://phabricator.miraheze.org/T7213"
}
]
},
"source": {
"advisory": "GHSA-jmc9-rv2f-g8vv",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-29483",
"datePublished": "2021-04-28T21:25:13",
"dateReserved": "2021-03-30T00:00:00",
"dateUpdated": "2024-08-03T22:11:05.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2025-04-22 18:16
Modified
2025-09-19 15:46
Severity ?
Summary
ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 00bebea, when enabling a conflicting extension, a restricted extension would be automatically disabled even if the user did not hold the ManageWiki-restricted right. This issue has been patched in commit 00bebea. A workaround involves ensuring that any extensions requiring specific permissions in `$wgManageWikiExtensions` also require the same permissions for managing any conflicting extensions.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| miraheze | managewiki | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:miraheze:managewiki:*:*:*:*:*:mediawiki:*:*",
"matchCriteriaId": "E59F7431-C6D8-48E7-B8D2-C0348D82017C",
"versionEndExcluding": "2025-04-21",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 00bebea, when enabling a conflicting extension, a restricted extension would be automatically disabled even if the user did not hold the ManageWiki-restricted right. This issue has been patched in commit 00bebea. A workaround involves ensuring that any extensions requiring specific permissions in `$wgManageWikiExtensions` also require the same permissions for managing any conflicting extensions."
},
{
"lang": "es",
"value": "ManageWiki es una extensi\u00f3n de MediaWiki que permite a los usuarios administrar wikis. Antes de la confirmaci\u00f3n 00bebea, al habilitar una extensi\u00f3n conflictiva, una extensi\u00f3n restringida se deshabilitaba autom\u00e1ticamente, incluso si el usuario no ten\u00eda el permiso restringido de ManageWiki. Este problema se ha corregido en la confirmaci\u00f3n 00bebea. Un workaround consiste en asegurar que las extensiones que requieren permisos espec\u00edficos en `$wgManageWikiExtensions` tambi\u00e9n requieran los mismos permisos para administrar las extensiones conflictivas."
}
],
"id": "CVE-2025-32964",
"lastModified": "2025-09-19T15:46:04.070",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-04-22T18:16:00.847",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/miraheze/ManageWiki/commit/00bebea43a3e3ff0157b5f04df17c1d1e88a9acd"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory",
"Patch"
],
"url": "https://github.com/miraheze/ManageWiki/security/advisories/GHSA-ccrf-x5rp-gppr"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-04-24 21:15
Modified
2025-09-19 15:41
Severity ?
4.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 2f177dc, ManageWiki is vulnerable to reflected or stored XSS in the review dialog. A logged-in attacker must change a form field to include a malicious payload. If that same user then opens the "Review Changes" dialog, the payload will be rendered and executed in the context of their own session. This issue has been patched in commit 2f177dc.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| miraheze | managewiki | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:miraheze:managewiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EA968A65-2DAE-4379-8782-EAF9FAAE4F4F",
"versionEndExcluding": "2025-04-24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 2f177dc, ManageWiki is vulnerable to reflected or stored XSS in the review dialog. A logged-in attacker must change a form field to include a malicious payload. If that same user then opens the \"Review Changes\" dialog, the payload will be rendered and executed in the context of their own session. This issue has been patched in commit 2f177dc."
},
{
"lang": "es",
"value": "ManageWiki es una extensi\u00f3n de MediaWiki que permite a los usuarios administrar wikis. Antes del commit 2f177dc, ManageWiki era vulnerable a XSS reflejado o almacenado en el di\u00e1logo de revisi\u00f3n. Un atacante con sesi\u00f3n iniciada debe modificar un campo de formulario para incluir una carga maliciosa. Si ese mismo usuario abre el di\u00e1logo \"Revisar cambios\", la carga se procesar\u00e1 y ejecutar\u00e1 en el contexto de su propia sesi\u00f3n. Este problema se ha corregido en el commit 2f177dc."
}
],
"id": "CVE-2025-43861",
"lastModified": "2025-09-19T15:41:02.120",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-04-24T21:15:24.310",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/miraheze/ManageWiki/commit/2f177dc83b28b727613215b835d4036cb179e4ab"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory",
"Patch"
],
"url": "https://github.com/miraheze/ManageWiki/security/advisories/GHSA-859x-46h8-vcrv"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-28 22:15
Modified
2024-11-21 06:01
Severity ?
9.4 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
ManageWiki is an extension to the MediaWiki project. The 'wikiconfig' API leaked the value of private configuration variables set through the ManageWiki variable to all users. This has been patched by https://github.com/miraheze/ManageWiki/compare/99f3b2c8af18...befb83c66f5b.patch. If you are unable to patch set `$wgAPIListModules['wikiconfig'] = 'ApiQueryDisabled';` or remove private config as a workaround.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/miraheze/ManageWiki/commit/befb83c66f5b643e174897ea41a8a46679b26304 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/miraheze/ManageWiki/security/advisories/GHSA-jmc9-rv2f-g8vv | Mitigation, Patch, Third Party Advisory | |
| security-advisories@github.com | https://phabricator.miraheze.org/T7213 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/miraheze/ManageWiki/commit/befb83c66f5b643e174897ea41a8a46679b26304 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/miraheze/ManageWiki/security/advisories/GHSA-jmc9-rv2f-g8vv | Mitigation, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://phabricator.miraheze.org/T7213 | Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| miraheze | managewiki | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:miraheze:managewiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "07A8635C-1EE6-41CA-811E-99AFAE1D7F5F",
"versionEndExcluding": "2021-04-28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ManageWiki is an extension to the MediaWiki project. The \u0027wikiconfig\u0027 API leaked the value of private configuration variables set through the ManageWiki variable to all users. This has been patched by https://github.com/miraheze/ManageWiki/compare/99f3b2c8af18...befb83c66f5b.patch. If you are unable to patch set `$wgAPIListModules[\u0027wikiconfig\u0027] = \u0027ApiQueryDisabled\u0027;` or remove private config as a workaround."
},
{
"lang": "es",
"value": "ManageWiki es una extensi\u00f3n del proyecto MediaWiki.\u0026#xa0;La API \"wikiconfig\" filtr\u00f3 el valor de las variables de configuraci\u00f3n privadas establecidas por medio de la variable ManageWiki a todos los usuarios.\u0026#xa0;Esto ha sido parcheado por https://github.com/miraheze/ManageWiki/compare/99f3b2c8af18...befb83c66f5b.patch.\u0026#xa0;Si no puede parchear, configure `$ wgAPIListModules [\u0027wikiconfig\u0027] = \u0027ApiQueryDisabled\u0027;` o elimine la configuraci\u00f3n privada como soluci\u00f3n alternativa"
}
],
"id": "CVE-2021-29483",
"lastModified": "2024-11-21T06:01:13.940",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-28T22:15:08.337",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/miraheze/ManageWiki/commit/befb83c66f5b643e174897ea41a8a46679b26304"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/miraheze/ManageWiki/security/advisories/GHSA-jmc9-rv2f-g8vv"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://phabricator.miraheze.org/T7213"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/miraheze/ManageWiki/commit/befb83c66f5b643e174897ea41a8a46679b26304"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/miraheze/ManageWiki/security/advisories/GHSA-jmc9-rv2f-g8vv"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://phabricator.miraheze.org/T7213"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-09 23:15
Modified
2024-11-21 09:00
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
ManageWiki is a MediaWiki extension allowing users to manage wikis. Special:ManageWiki does not escape escape interface messages on the `columns` and `help` keys on the form descriptor. An attacker may exploit this and would have a cross site scripting attack vector. Exploiting this on-wiki requires the `(editinterface)` right. Users should apply the code changes in commits `886cc6b94`, `2ef0f50880`, and `6942e8b2c` to resolve this vulnerability. There are no known workarounds for this vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| miraheze | managewiki | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:miraheze:managewiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "77660479-AB57-45B2-8F6E-921AE3A99EBD",
"versionEndExcluding": "2024-02-09",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ManageWiki is a MediaWiki extension allowing users to manage wikis. Special:ManageWiki does not escape escape interface messages on the `columns` and `help` keys on the form descriptor. An attacker may exploit this and would have a cross site scripting attack vector. Exploiting this on-wiki requires the `(editinterface)` right. Users should apply the code changes in commits `886cc6b94`, `2ef0f50880`, and `6942e8b2c` to resolve this vulnerability. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "ManageWiki es una extensi\u00f3n de MediaWiki que permite a los usuarios administrar wikis. Special:ManageWiki no escapa a los mensajes de la interfaz de escape en las teclas \"columnas\" y \"ayuda\" del descriptor del formulario. Un atacante podr\u00eda aprovechar esto y tendr\u00eda un vector de ataque de cross site scripting. Explotar este wiki requiere el derecho `(editinterface)`. Los usuarios deben aplicar los cambios de c\u00f3digo en los commits `886cc6b94`, `2ef0f50880` y `6942e8b2c` para resolver esta vulnerabilidad. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2024-25109",
"lastModified": "2024-11-21T09:00:16.393",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-09T23:15:10.057",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/miraheze/ManageWiki/commit/2ef0f50880d7695ca2874dc8dd515b2b9bbb02e5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/miraheze/ManageWiki/commit/6942e8b2c01dc33c2c41a471f91ef3f6ca726073"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/miraheze/ManageWiki/commit/886cc6b94587f1c7387caa26ca9fe612e01836a0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/miraheze/ManageWiki/security/advisories/GHSA-4jr2-jhfm-2r84"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://issue-tracker.miraheze.org/T11812"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/miraheze/ManageWiki/commit/2ef0f50880d7695ca2874dc8dd515b2b9bbb02e5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/miraheze/ManageWiki/commit/6942e8b2c01dc33c2c41a471f91ef3f6ca726073"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/miraheze/ManageWiki/commit/886cc6b94587f1c7387caa26ca9fe612e01836a0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/miraheze/ManageWiki/security/advisories/GHSA-4jr2-jhfm-2r84"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://issue-tracker.miraheze.org/T11812"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-04-21 21:15
Modified
2025-09-19 15:47
Severity ?
Summary
ManageWiki is a MediaWiki extension allowing users to manage wikis. Versions before commit f504ed8, are vulnerable to SQL injection when renaming a namespace in Special:ManageWiki/namespaces when using a page prefix (namespace name, which is the current namespace you are renaming) with an injection payload. This issue has been patched in commit f504ed8. A workaround for this vulnerability involves setting `$wgManageWiki['namespaces'] = false;`.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| miraheze | managewiki | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:miraheze:managewiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2D77361B-ADBA-4AAE-B034-E809C4108ADA",
"versionEndExcluding": "2025-04-20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ManageWiki is a MediaWiki extension allowing users to manage wikis. Versions before commit f504ed8, are vulnerable to SQL injection when renaming a namespace in Special:ManageWiki/namespaces when using a page prefix (namespace name, which is the current namespace you are renaming) with an injection payload. This issue has been patched in commit f504ed8. A workaround for this vulnerability involves setting `$wgManageWiki[\u0027namespaces\u0027] = false;`."
},
{
"lang": "es",
"value": "ManageWiki es una extensi\u00f3n de MediaWiki que permite a los usuarios administrar wikis. Las versiones anteriores a el commit f504ed8 son vulnerables a la inyecci\u00f3n de SQL al renombrar un espacio de nombres en Special:ManageWiki/namespaces al usar un prefijo de p\u00e1gina (nombre del espacio de nombres, que corresponde al espacio de nombres actual que se est\u00e1 renombrando) con un payload de inyecci\u00f3n. Este problema se ha corregido en el commit f504ed8. Un workaround para esta vulnerabilidad consiste en configurar `$wgManageWiki[\u0027namespaces\u0027] = false;`."
}
],
"id": "CVE-2025-32956",
"lastModified": "2025-09-19T15:47:40.820",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-04-21T21:15:20.647",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/miraheze/ManageWiki/commit/f504ed8eeb59b57ebb90f93cd44f23da4c5bc4c9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory",
"Mitigation"
],
"url": "https://github.com/miraheze/ManageWiki/security/advisories/GHSA-gg42-cv66-f5x7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-32956-detect-mediawiki-vulnerability"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mitigation",
"Third Party Advisory"
],
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-32956-mitigate-mediawiki-vulnerability"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}