Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - CSS Extension allows Code Injection.This issue affects Mediawiki - CSS Extension: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 23 Oct 2024 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wikimedia wikimedia-extensions-css
CPEs cpe:2.3:a:wikimedia:wikimedia-extensions-css:*:*:*:*:*:*:*:*
Vendors & Products Wikimedia wikimedia-extensions-css
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N'}


Mon, 07 Oct 2024 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Wikimedia
Wikimedia mediawiki-extensions-css
CPEs cpe:2.3:a:wikimedia:mediawiki-extensions-css:*:*:*:*:*:*:*:*
Vendors & Products Wikimedia
Wikimedia mediawiki-extensions-css
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 05 Oct 2024 00:45:00 +0000

Type Values Removed Values Added
Description Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - CSS Extension allows Code Injection.This issue affects Mediawiki - CSS Extension: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.
Title CSS sanitizer used incorrectly, and is easily bypassed
Weaknesses CWE-116
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2024-10-07T17:39:08.435Z

Reserved: 2024-10-03T23:44:16.835Z

Link: CVE-2024-47845

cve-icon Vulnrichment

Updated: 2024-10-07T17:39:02.407Z

cve-icon NVD

Status : Analyzed

Published: 2024-10-05T01:15:12.237

Modified: 2024-10-23T15:00:11.853

Link: CVE-2024-47845

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.