CVE-2024-29897: CreateWiki Leak of suppressed wiki requests outside of `CreateWikiGlobalWiki`
First published: Thu Mar 28 2024(Updated: )
CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. It is possible for users with (delete) or (suppressrevision) on any wiki in the farm to access suppressed wiki requests by going to the request's entry on Special:RequestWikiQueue on the wiki where they have these rights. The same vulnerability was present briefly on the REST API before being quickly corrected in commit `6bc0685`. To our knowledge, the vulnerable commits of the REST API are not running in production anywhere. This vulnerability is fixed in 23415c17ffb4832667c06abcf1eadadefd4c8937.
Credit: security-advisories@github.com
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/title
- agent/references
- agent/first-publish-date
- agent/type
- agent/description
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/nvd-api
- source/NVD
- agent/author
- agent/last-modified-date
- agent/severity
- agent/tags
- agent/event