CVE-2020-9382
MEDIUMWidgets extension < 1.4.0 - Unauthenticated Arbitrary Wiki Page Execution via #widget Parser Function
Title source: llmDescription
An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's {{#widget:}} parser function.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://phabricator.wikimedia.org/T245850
Patch, Third Party Advisory x_refsource_misc
https://gerrit.wikimedia.org/r/q/I953e060bc6994ffdba9f380c98173f53f8ca1ea8
Scores
CVSS v3
5.4
EPSS
0.0097
EPSS Percentile
57.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Details
CWE
CWE-74
Status
published
Products (1)
widgets_project/widgets
< 1.4.0
Published
Feb 24, 2020
Tracked Since
Feb 18, 2026