Impact
Improper neutralization of special elements used in an SQL command ('SQL injection') allows an attacker to inject arbitrary SQL into queries executed by the MediaWiki Cargo Extension, potentially enabling data exfiltration, unauthorized data modification, or credential compromise. This weakness is classified as CWE‑89 and can affect the confidentiality, integrity, and availability of the underlying database if exploited.
Affected Systems
The Wikimedia Foundation MediaWiki Cargo Extension versions prior to 1.43.9, 1.44.6, and 1.45.4 are affected. Users running any of these older releases on their wiki sites are vulnerable.
Risk and Exploitability
The CVSS score of 6.9 indicates a medium severity vulnerability. The EPSS score is not available, so the likelihood of exploitation remains uncertain, and the issue is not listed in the C vectorDrilldown page where unfiltered input can be supplied, allowing database credentials have sufficient privileges.
OpenCVE Enrichment