CVE-2023-3550 - OpenCVE

Mediawiki v1.40.0 does not validate namespaces used in XML files. Therefore, if the instance administrator allows XML file uploads, a remote attacker with a low-privileged user account can use this exploit to become an administrator by sending a malicious link to the instance administrator.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Debian	Debian Linux
Mediawiki	Mediawiki

Configuration 1 [-]

cpe:2.3:a:mediawiki:mediawiki:1.40.0:-:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

References

Link	Resource
https://fluidattacks.com/advisories/blondie/	Exploit Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/11/msg00027.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISY/
https://www.debian.org/security/2023/dsa-5520	Third Party Advisory
https://www.mediawiki.org/wiki/MediaWiki/	Product

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Fluid Attacks

Published: 2023-09-25T15:20:27.351Z

Updated: 2023-09-25T15:20:27.351Z

Reserved: 2023-07-08T01:02:40.399Z

Link: CVE-2023-3550

JSON object: View

NVD Information

Status : Modified

Published: 2023-09-25T16:15:14.347

Modified: 2024-06-10T17:16:13.043

Link: CVE-2023-3550

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2023-3550", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "state": "PUBLISHED", "assignerShortName": "Fluid Attacks", "dateReserved": "2023-07-08T01:02:40.399Z", "datePublished": "2023-09-25T15:20:27.351Z", "dateUpdated": "2023-09-25T15:20:27.351Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["MacOS"], "product": "MediaWiki", "vendor": "MediaWiki", "versions": [{"status": "affected", "version": "1.40.0"}]}], "datePublic": "2023-10-11T17:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><div>Mediawiki v1.40.0 does not validate namespaces used in XML files.</div><div>Therefore, if the instance administrator allows XML file uploads,</div><div>a remote attacker with a low-privileged user account can use this</div><div>exploit to become an administrator by sending a malicious link to</div><div>the instance administrator.</div></div>"}], "value": "Mediawiki v1.40.0 does not validate namespaces used in XML files.\n\nTherefore, if the instance administrator allows XML file uploads,\n\na remote attacker with a low-privileged user account can use this\n\nexploit to become an administrator by sending a malicious link to\n\nthe instance administrator.\n\n\n\n"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2023-09-25T15:20:27.351Z"}, "references": [{"url": "https://fluidattacks.com/advisories/blondie/"}, {"url": "https://www.mediawiki.org/wiki/MediaWiki/"}, {"url": "https://www.debian.org/security/2023/dsa-5520"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00027.html"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISY/"}], "source": {"discovery": "EXTERNAL"}, "title": "Stored XSS leads to privilege escalation in MediaWiki v1.40.0", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mediawiki:mediawiki:1.40.0:-:*:*:*:*:*:*", "matchCriteriaId": "195C853F-2D51-44A4-990E-8E04FF4E9AA8", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Mediawiki v1.40.0 does not validate namespaces used in XML files.\n\nTherefore, if the instance administrator allows XML file uploads,\n\na remote attacker with a low-privileged user account can use this\n\nexploit to become an administrator by sending a malicious link to\n\nthe instance administrator.\n\n\n\n"}, {"lang": "es", "value": "Mediawiki v1.40.0 no valida los espacios de nombres utilizados en archivos XML. Por lo tanto, si el administrador de la instancia permite la carga de archivos XML, un atacante remoto con una cuenta de usuario con pocos privilegios puede utilizar este exploit para convertirse en administrador enviando un enlace malicioso al administrador de la instancia.\n"}], "id": "CVE-2023-3550", "lastModified": "2024-06-10T17:16:13.043", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.2, "source": "help@fluidattacks.com", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Secondary"}]}, "published": "2023-09-25T16:15:14.347", "references": [{"source": "help@fluidattacks.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://fluidattacks.com/advisories/blondie/"}, {"source": "help@fluidattacks.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00027.html"}, {"source": "help@fluidattacks.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISY/"}, {"source": "help@fluidattacks.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5520"}, {"source": "help@fluidattacks.com", "tags": ["Product"], "url": "https://www.mediawiki.org/wiki/MediaWiki/"}], "sourceIdentifier": "help@fluidattacks.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "help@fluidattacks.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Secondary"}]}