Description
ImportDump is a mediawiki extension designed to automate user import requests. A user's local actor ID is stored in the database to tell who made what requests. Therefore, if a user on another wiki happens to have the same actor ID as someone on the central wiki, the user on the other wiki can act as if they're the original wiki requester. This can be abused to create new comments, edit the request, and view the request if it's marked private. This issue has been addressed in commit `5c91dfc` and all users are advised to update. Users unable to update may disable the special page outside of their global wiki. See `miraheze/mw-config@e566499` for details on that.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/miraheze/ImportDump/security/advisories/GHSA-jjmq-mg36-6387
Patch x_refsource_misc
https://github.com/miraheze/ImportDump/commit/5c91dfce78320e717516ee65ef5a05f01979ee6c
Patch x_refsource_misc
https://github.com/miraheze/mw-config/commit/e5664995fbb8644f9a80b450b4326194f20f9ddc
Various Sources x_refsource_misc
https://issue-tracker.miraheze.org/T12701
Scores
CVSS v3
6.4
EPSS
0.0014
EPSS Percentile
34.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-282
Status
published
Products (1)
miraheze/ImportDump
commits prior to 5c91dfc
Published
Oct 09, 2024
Tracked Since
Feb 18, 2026