CVE-2024-47845

MEDIUM EPSS 29.7%

Published Oct 5, 20241y ago · Modified Jun 17, 20261w ago

6.9 CVSS 4.0

Medium

Published Oct 5, 2024 1y ago

Last Modified Jun 17, 2026 1w ago

Description

Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - CSS Extension allows Code Injection.This issue affects Mediawiki - CSS Extension: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.

CVSS Details

Base Score

6.9

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

29.7% percentile

Exploit & Patch Status

Public Exploit Known

Patch Available

Weaknesses 1

CWE-116

Affected Products 3

Vendor	Product	Version	Range
wikimedia	wikimedia-extensions-css	*	≥1.39.0 – <1.39.9
wikimedia	wikimedia-extensions-css	*	≥1.41.0 – <1.41.3
wikimedia	wikimedia-extensions-css	*	≥1.42.0 – <1.42.2

References 3

gerrit.wikimedia.org https://gerrit.wikimedia.org/r/q/I6f38f4a8fc1dcd690ab27b8f18ce6ca903bacc53

Patch
phabricator.wikimedia.org https://phabricator.wikimedia.org/T368594

ExploitIssue TrackingVendor Advisory
phabricator.wikimedia.org https://phabricator.wikimedia.org/T368628

Issue TrackingVendor Advisory

Remediation

gerrit.wikimedia.org https://gerrit.wikimedia.org/r/q/I6f38f4a8fc1dcd690ab27b8f18ce6ca903bacc53

Patch