{"id":"CVE-2024-25107","summary":"Cross-Site Scripting in WikiDiscover","details":"WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. On Special:WikiDiscover, the `Language::date` function is used when making the human-readable timestamp for inclusion on the wiki_creation column. This function uses interface messages to translate the names of months and days. It uses the `-\u003etext()` output mode, returning unescaped interface messages. Since the output is not escaped later, the unescaped interface message is included on the output, resulting in an XSS vulnerability. Exploiting this on-wiki requires the `(editinterface)` right. This vulnerability has been addressed in commit `267e763a0`. Users are advised to update their installations. There are no known workarounds for this vulnerability.","aliases":["GHSA-cfcf-94jv-455f"],"modified":"2026-04-16T04:12:40.751908Z","published":"2024-02-08T22:46:39.144Z","database_specific":{"cwe_ids":["CWE-79"],"unresolved_ranges":[{"extracted_events":[{"fixed":"267e763a0d7"}],"source":"AFFECTED_FIELD"}],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/25xxx/CVE-2024-25107.json"},"references":[{"type":"WEB","url":"https://issue-tracker.miraheze.org/T11814"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/25xxx/CVE-2024-25107.json"},{"type":"ADVISORY","url":"https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455f"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-25107"},{"type":"FIX","url":"https://github.com/miraheze/WikiDiscover/commit/267e763a0d7460f001693c42f67717a0fc3fd6bb"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/miraheze/wikidiscover","events":[{"introduced":"0"},{"fixed":"267e763a0d7460f001693c42f67717a0fc3fd6bb"}]},{"type":"GIT","repo":"https://github.com/miraheze/wikidiscover","events":[{"introduced":"0"},{"fixed":"267e763a0d7460f001693c42f67717a0fc3fd6bb"}]}],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"2023-02-08"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-25107.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"}]}