Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for IncidentReporting by miraheze

    CVE-2024-47815 (GCVE-0-2024-47815)

    Vulnerability from nvd – Published: 2024-10-09 18:21 – Updated: 2024-10-09 19:48
    VLAI
    Title
    Cross-site Scripting in IncidentReporting
    Summary
    IncidentReporting is a MediaWiki extension for moving incident reports from wikitext to database tables. There are a variety of Cross-site Scripting issues, though all of them require elevated permissions. Some are available to anyone who has the `editincidents` right, some are available to those who can edit interface messages (typically administrators and interface admins), and one is available to those who can edit LocalSettings.php. These issues have been addressed in commit `43896a4` and all users are advised to upgrade. Users unable to upgrade should prevent access to the Special:IncidentReports page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    • CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
    Assigner
    Impacted products
    Vendor Product Version
    miraheze IncidentReporting Affected: commits prior to 43896a4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-47815",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-09T19:47:48.120176Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-09T19:48:04.389Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "IncidentReporting",
              "vendor": "miraheze",
              "versions": [
                {
                  "status": "affected",
                  "version": "commits prior to 43896a4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "IncidentReporting is a MediaWiki extension for moving incident reports from wikitext to database tables. There are a variety of Cross-site Scripting issues, though all of them require elevated permissions. Some are available to anyone who has the `editincidents` right, some are available to those who can edit interface messages (typically administrators and interface admins), and one is available to those who can edit LocalSettings.php. These issues have been addressed in commit `43896a4` and all users are advised to upgrade. Users unable to upgrade should prevent access to the Special:IncidentReports page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-09T18:21:58.981Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/miraheze/IncidentReporting/security/advisories/GHSA-9p36-hrmr-98r9",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/miraheze/IncidentReporting/security/advisories/GHSA-9p36-hrmr-98r9"
            },
            {
              "name": "https://github.com/miraheze/IncidentReporting/commit/43896a47de4e05ac94ec0472c220da944da16c5c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/miraheze/IncidentReporting/commit/43896a47de4e05ac94ec0472c220da944da16c5c"
            },
            {
              "name": "https://issue-tracker.miraheze.org/T12702",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://issue-tracker.miraheze.org/T12702"
            }
          ],
          "source": {
            "advisory": "GHSA-9p36-hrmr-98r9",
            "discovery": "UNKNOWN"
          },
          "title": "Cross-site Scripting in IncidentReporting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-47815",
        "datePublished": "2024-10-09T18:21:58.981Z",
        "dateReserved": "2024-10-03T14:06:12.638Z",
        "dateUpdated": "2024-10-09T19:48:04.389Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-47815 (GCVE-0-2024-47815)

    Vulnerability from cvelistv5 – Published: 2024-10-09 18:21 – Updated: 2024-10-09 19:48
    VLAI
    Title
    Cross-site Scripting in IncidentReporting
    Summary
    IncidentReporting is a MediaWiki extension for moving incident reports from wikitext to database tables. There are a variety of Cross-site Scripting issues, though all of them require elevated permissions. Some are available to anyone who has the `editincidents` right, some are available to those who can edit interface messages (typically administrators and interface admins), and one is available to those who can edit LocalSettings.php. These issues have been addressed in commit `43896a4` and all users are advised to upgrade. Users unable to upgrade should prevent access to the Special:IncidentReports page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    • CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
    Assigner
    Impacted products
    Vendor Product Version
    miraheze IncidentReporting Affected: commits prior to 43896a4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-47815",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-09T19:47:48.120176Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-09T19:48:04.389Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "IncidentReporting",
              "vendor": "miraheze",
              "versions": [
                {
                  "status": "affected",
                  "version": "commits prior to 43896a4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "IncidentReporting is a MediaWiki extension for moving incident reports from wikitext to database tables. There are a variety of Cross-site Scripting issues, though all of them require elevated permissions. Some are available to anyone who has the `editincidents` right, some are available to those who can edit interface messages (typically administrators and interface admins), and one is available to those who can edit LocalSettings.php. These issues have been addressed in commit `43896a4` and all users are advised to upgrade. Users unable to upgrade should prevent access to the Special:IncidentReports page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-09T18:21:58.981Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/miraheze/IncidentReporting/security/advisories/GHSA-9p36-hrmr-98r9",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/miraheze/IncidentReporting/security/advisories/GHSA-9p36-hrmr-98r9"
            },
            {
              "name": "https://github.com/miraheze/IncidentReporting/commit/43896a47de4e05ac94ec0472c220da944da16c5c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/miraheze/IncidentReporting/commit/43896a47de4e05ac94ec0472c220da944da16c5c"
            },
            {
              "name": "https://issue-tracker.miraheze.org/T12702",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://issue-tracker.miraheze.org/T12702"
            }
          ],
          "source": {
            "advisory": "GHSA-9p36-hrmr-98r9",
            "discovery": "UNKNOWN"
          },
          "title": "Cross-site Scripting in IncidentReporting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-47815",
        "datePublished": "2024-10-09T18:21:58.981Z",
        "dateReserved": "2024-10-03T14:06:12.638Z",
        "dateUpdated": "2024-10-09T19:48:04.389Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }