Home > Vulnerability Database > CVE-2020-29007

Mend.io Vulnerability Database

CVE-2020-29007

Date: April 15, 2023

The Score extension through 0.3.0 for MediaWiki has a remote code execution vulnerability due to improper sandboxing of the GNU LilyPond executable. This allows any user with an ability to edit articles (potentially including unauthenticated anonymous users) to execute arbitrary Scheme or shell code by using crafted {{Image data to generate musical scores containing malicious code.

Language: PHP

Severity Score

9.8

Related Resources (7)

Url: https://seqred.pl/en/cve-2020-29007-remote-code-execution-in-mediawiki-score/

Url: https://github.com/seqred-s-a/cve-2020-29007

Url: https://www.mediawiki.org/wiki/Extension:Score

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-29007

Url: https://www.mediawiki.org/wiki/Extension:Score/2021_security_advisory

Url: https://phabricator.wikimedia.org/T257062

Url: https://www.mend.io/vulnerability-database/CVE-2020-29007

Severity Score

9.8

Weakness Type (CWE)

Code Injection

CWE-94

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2020-29007

Date: April 15, 2023

Language: PHP

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?