An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's {{#widget:}} parser function.
References
| Link | Resource |
|---|---|
| https://gerrit.wikimedia.org/r/q/I953e060bc6994ffdba9f380c98173f53f8ca1ea8 | Patch Third Party Advisory |
| https://phabricator.wikimedia.org/T245850 | Exploit Third Party Advisory |
| https://gerrit.wikimedia.org/r/q/I953e060bc6994ffdba9f380c98173f53f8ca1ea8 | Patch Third Party Advisory |
| https://phabricator.wikimedia.org/T245850 | Exploit Third Party Advisory |
Configurations
History
21 Nov 2024, 05:40
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://gerrit.wikimedia.org/r/q/I953e060bc6994ffdba9f380c98173f53f8ca1ea8 - Patch, Third Party Advisory | |
| References | () https://phabricator.wikimedia.org/T245850 - Exploit, Third Party Advisory |
Information
Published : 2020-02-24 23:15
Updated : 2024-11-21 05:40
NVD link : CVE-2020-9382
Mitre link : CVE-2020-9382
CVE.ORG link : CVE-2020-9382
JSON object : View
Products Affected
widgets_project
- widgets
CWE
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')