Vulnerability CVE-2020-9382: Information

Description

An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's {{#widget:}} parser function.

Severity: MEDIUM (5.4) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Published: Feb. 25, 2020
Modified: July 21, 2021
Error type identifier: CWE-74

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
mediawiki-extensions-Widgetssisyphus1.3.0-alt1git1.3.0-alt1gitALT-PU-2021-2069-1276124Fixed
mediawiki-extensions-Widgetsp101.3.0-alt1git1.3.0-alt1gitALT-PU-2021-2069-1276124Fixed
mediawiki-extensions-Widgetsp91.3.0-alt1git1.3.0-alt1gitALT-PU-2021-2092-1274917Fixed
mediawiki-extensions-Widgetsc10f11.3.0-alt1git1.3.0-alt1gitALT-PU-2021-2069-1276124Fixed
mediawiki-extensions-Widgetsp111.3.0-alt1git1.3.0-alt1gitALT-PU-2021-2069-1276124Fixed

References to Advisories, Solutions, and Tools

    1. Configuration 1

      cpe:2.3:a:widgets_project:widgets:*:*:*:*:*:mediawiki:*:*
      End including
      1.4.0