CVE-2022-29547

HIGH

CreateRedirect < 2022-04-14 - Unauthenticated Page Edit via Permission Bypass

Title source: llm
STIX 2.1

Description

The CreateRedirect extension before 2022-04-14 for MediaWiki does not properly check whether the user has permissions to edit the target page. This could lead to an unauthorised (or blocked) user being able to edit a page.

References (3)

Core 3
Core References
Vendor Advisory x_refsource_misc
https://phabricator.wikimedia.org/T306174
Issue Tracking, Third Party Advisory x_refsource_misc
https://phabricator.miraheze.org/T9061

Scores

CVSS v3 7.5
EPSS 0.0017
EPSS Percentile 37.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-276
Status published
Products (1)
mediawiki/createredirect < 2022-04-14
Published Apr 21, 2022
Tracked Since Feb 18, 2026