CVE-2024-47845
📋 TL;DR
This vulnerability allows attackers to inject malicious code through improper output encoding in MediaWiki's CSS Extension. It affects MediaWiki installations using the CSS Extension in specific vulnerable versions, potentially enabling cross-site scripting (XSS) or other client-side attacks against users viewing affected pages.
💻 Affected Systems
- MediaWiki CSS Extension
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary JavaScript in users' browsers, potentially stealing session cookies, performing actions as authenticated users, or redirecting to malicious sites.
Likely Case
Cross-site scripting attacks leading to session hijacking, credential theft, or defacement of wiki pages.
If Mitigated
Limited impact if proper Content Security Policies are implemented and user input validation is enforced elsewhere.
🎯 Exploit Status
Exploitation requires ability to edit CSS content in MediaWiki, typically requiring edit permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: MediaWiki 1.39.9, 1.41.3, or 1.42.2
Vendor Advisory: https://phabricator.wikimedia.org/T368594
Restart Required: No
Instructions:
1. Backup your MediaWiki installation. 2. Update MediaWiki to version 1.39.9, 1.41.3, or 1.42.2. 3. Verify the update completed successfully. 4. Clear any caches if applicable.
🔧 Temporary Workarounds
Disable CSS Extension
allTemporarily disable the vulnerable CSS Extension until patching is possible.
Edit LocalSettings.php and add: $wgUseSiteCss = false;
Restrict CSS Editing Permissions
allLimit who can edit CSS pages to trusted administrators only.
Edit LocalSettings.php and configure $wgGroupPermissions to restrict 'editinterface' permission
🧯 If You Can't Patch
- Implement strict Content Security Policy headers to mitigate XSS impact
- Enable MediaWiki's built-in XSS protection features and input validation
🔍 How to Verify
Check if Vulnerable:
Check MediaWiki version in includes/DefaultSettings.php or via Special:Version page. Verify if version is within affected ranges.Check Version:
grep 'wgVersion' includes/DefaultSettings.phpVerify Fix Applied:
Confirm MediaWiki version is 1.39.9, 1.41.3, or 1.42.2 or higher via Special:Version page.📡 Detection & Monitoring
Log Indicators:
- Unusual CSS page edits, especially with script tags or JavaScript content
- Multiple failed edit attempts on CSS pages
Network Indicators:
- Unexpected JavaScript execution from CSS resources
- Suspicious outbound connections following CSS page views
SIEM Query:
source="mediawiki" AND (event="edit" AND page_title="*.css") AND user_agent!="bot"