CVE-2024-47782
📋 TL;DR
CVE-2024-47782 is a cross-site scripting (XSS) vulnerability in the WikiDiscover extension for CreateWiki-managed wiki farms. The vulnerability allows attackers to execute arbitrary JavaScript code when viewing the Special:WikiDiscover page if a wiki's name or description contains malicious payloads. All users running unpatched versions of WikiDiscover are affected.
💻 Affected Systems
- WikiDiscover extension for MediaWiki/CreateWiki
📦 What is this software?
Wikidiscover by Miraheze
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or deface the wiki discovery page.
Likely Case
Attackers with wiki editing privileges could embed XSS payloads in wiki names/descriptions, leading to session hijacking or credential theft for users viewing the discovery page.
If Mitigated
With proper input validation and output encoding, the XSS payloads would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires ability to set wiki name/description (typically admin/editor privileges), but execution affects all users viewing the discovery page.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 2ce846dd93ddb9ec86f7472c4d57fe71a09dc827
Vendor Advisory: https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-wf48-rqx3-39mf
Restart Required: No
Instructions:
1. Update WikiDiscover extension to include commit 2ce846dd93. 2. Apply the patch via git pull or manual file replacement. 3. Clear any caches if applicable.
🔧 Temporary Workarounds
Block Special:WikiDiscover access
allPrevent access to the vulnerable special page
Add access restriction rules to web server configuration or application firewall
🧯 If You Can't Patch
- Block all access to Special:WikiDiscover page using web server rules or application-level restrictions.
- Implement Content Security Policy (CSP) headers to mitigate XSS impact.
🔍 How to Verify
Check if Vulnerable:
Check if WikiDiscover extension is installed and if Special:WikiDiscover page displays unescaped HTML in wiki names/descriptions.Check Version:
git log --oneline | grep 2ce846dd93Verify Fix Applied:
Verify that commit 2ce846dd93 is present in the WikiDiscover codebase and that wiki names/descriptions are properly HTML-encoded on Special:WikiDiscover.📡 Detection & Monitoring
Log Indicators:
- Unusual wiki name/description updates containing script tags or JavaScript code
- Multiple requests to Special:WikiDiscover from single IPs
Network Indicators:
- HTTP requests to Special:WikiDiscover with suspicious parameters
SIEM Query:
web_access_logs WHERE uri LIKE '%Special:WikiDiscover%' AND (user_agent CONTAINS suspicious_pattern OR referrer CONTAINS suspicious_pattern)