CVE-2020-29007: Code Injection
First published: Sat Apr 15 2023(Updated: )
The Score extension through 0.3.0 for MediaWiki has a remote code execution vulnerability due to improper sandboxing of the GNU LilyPond executable. This allows any user with an ability to edit articles (potentially including unauthenticated anonymous users) to execute arbitrary Scheme or shell code by using crafted {{Image data to generate musical scores containing malicious code.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mediawiki Score | <=0.3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-29007?
CVE-2020-29007 is a remote code execution vulnerability in the Score extension for MediaWiki.
How severe is CVE-2020-29007?
CVE-2020-29007 has a severity rating of 9.8 (critical).
What software is affected by CVE-2020-29007?
The Score extension through version 0.3.0 for MediaWiki is affected by CVE-2020-29007.
How can I fix CVE-2020-29007?
To fix CVE-2020-29007, update the Score extension for MediaWiki to a version beyond 0.3.0.
Where can I find more information about CVE-2020-29007?
You can find more information about CVE-2020-29007 on GitHub, Phabricator, and Seqred's website.
- collector/nvd-index
- agent/severity
- agent/author
- agent/weakness
- agent/references
- agent/type
- agent/event
- agent/description
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/mediawiki
- canonical/mediawiki score
- version/mediawiki score/0.3.0