Home > Vulnerability Database > CVE-2024-29897

Mend.io Vulnerability Database

CVE-2024-29897

Date: March 28, 2024

CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. It is possible for users with (delete) or (suppressrevision) on any wiki in the farm to access suppressed wiki requests by going to the request's entry on Special:RequestWikiQueue on the wiki where they have these rights. The same vulnerability was present briefly on the REST API before being quickly corrected in commit "6bc0685". To our knowledge, the vulnerable commits of the REST API are not running in production anywhere. This vulnerability is fixed in 23415c17ffb4832667c06abcf1eadadefd4c8937.

Language: PHP

Severity Score

4.9

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-29897

Url: https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq

Url: https://github.com/miraheze/mw-config/commit/fb3e68bcef459e9cf2a415241b28042a6c9727e8

Url: https://issue-tracker.miraheze.org/F3093343

Url: https://issue-tracker.miraheze.org/T11999

Url: https://www.mend.io/vulnerability-database/CVE-2024-29897

Severity Score

4.9

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

CVSS v3.1

Base Score:	4.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-29897

Date: March 28, 2024

Language: PHP

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?