CVE-2020-29007
📋 TL;DR
This vulnerability allows remote code execution in MediaWiki installations using the Score extension. Any user with article edit permissions (including potentially unauthenticated users) can execute arbitrary Scheme or shell code by crafting malicious musical score data. This affects MediaWiki sites with the vulnerable Score extension installed.
💻 Affected Systems
- MediaWiki Score extension
📦 What is this software?
Score by Mediawiki
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.
Likely Case
Unauthorized code execution leading to data theft, website defacement, or further exploitation of the server.
If Mitigated
Limited impact if edit permissions are restricted to trusted users only, though risk remains for authorized but malicious users.
🎯 Exploit Status
Exploitation is straightforward with publicly available proof-of-concept code; unauthenticated access depends on MediaWiki's edit permissions configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Score extension version 0.3.1 or later
Vendor Advisory: https://www.mediawiki.org/wiki/Extension:Score/2021_security_advisory
Restart Required: No
Instructions:
1. Update the Score extension to version 0.3.1 or later via MediaWiki's extension management or manual installation. 2. Verify the update by checking the extension version in MediaWiki's configuration or admin interface.
🔧 Temporary Workarounds
Disable Score extension
allTemporarily disable the vulnerable Score extension to prevent exploitation.
Remove or comment out the line 'wfLoadExtension( 'Score' );' in LocalSettings.php
Restrict edit permissions
allLimit article edit permissions to trusted users only to reduce attack surface.
Configure MediaWiki's $wgGroupPermissions or similar settings to restrict editing
🧯 If You Can't Patch
- Disable the Score extension immediately to eliminate the vulnerability.
- Implement strict access controls to limit edit permissions to essential, trusted users only.
🔍 How to Verify
Check if Vulnerable:
Check if the Score extension is installed and its version is 0.3.0 or earlier in MediaWiki's extension list or configuration files.Check Version:
grep -r 'Score' /path/to/mediawiki/extensions/ or check MediaWiki's Special:Version pageVerify Fix Applied:
Confirm that the Score extension version is 0.3.1 or later after updating.📡 Detection & Monitoring
Log Indicators:
- Unusual edit activity involving Score tags or LilyPond commands in MediaWiki logs
- System logs showing unexpected shell or Scheme code execution
Network Indicators:
- Suspicious outbound connections from the MediaWiki server post-edit
SIEM Query:
source="mediawiki_logs" AND ("Score" OR "LilyPond") AND edit_action🔗 References
- https://github.com/seqred-s-a/cve-2020-29007
- https://phabricator.wikimedia.org/T257062
- https://seqred.pl/en/cve-2020-29007-remote-code-execution-in-mediawiki-score/
- https://www.mediawiki.org/wiki/Extension:Score
- https://www.mediawiki.org/wiki/Extension:Score/2021_security_advisory
- https://github.com/seqred-s-a/cve-2020-29007
- https://phabricator.wikimedia.org/T257062
- https://seqred.pl/en/cve-2020-29007-remote-code-execution-in-mediawiki-score/
- https://www.mediawiki.org/wiki/Extension:Score
- https://www.mediawiki.org/wiki/Extension:Score/2021_security_advisory
