Vulnerability Description
WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. Special:WikiDiscover is a special page that lists all wikis on the wiki farm. However, the special page does not make any effort to escape the wiki name or description. Therefore, if a wiki sets its name and/or description to an XSS payload, the XSS will execute whenever the wiki is shown on Special:WikiDiscover. This issue has been patched with commit `2ce846dd93` and all users are advised to apply that patch. User unable to upgrade should block access to `Special:WikiDiscover`.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Miraheze | Wikidiscover | < 2024-10-06 |
Related Weaknesses (CWE)
References
- https://github.com/miraheze/WikiDiscover/commit/2ce846dd93ddb9ec86f7472c4d57fe71Patch
- https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-wf48-rqx3-39mfVendor Advisory
- https://issue-tracker.miraheze.org/T12697Issue TrackingProduct
FAQ
What is CVE-2024-47782?
CVE-2024-47782 is a vulnerability with a CVSS score of 7.6 (HIGH). WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. Special:WikiDiscover is a special page that lists all wikis on the wiki farm. However, the special page d...
How severe is CVE-2024-47782?
CVE-2024-47782 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-47782?
Check the references section above for vendor advisories and patch information. Affected products include: Miraheze Wikidiscover.