CVE-2022-29903 - Vulnerability Details - OpenCVE

The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST request to Special:PrivateDomains.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mediawiki	Mediawiki

Configuration 1 [-]

cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PrivateDomains/+/783416
https://phabricator.wikimedia.org/T306290

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-04-29T03:44:15

Updated: 2024-08-03T06:33:43.184Z

Reserved: 2022-04-29T00:00:00

Link: CVE-2022-29903

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-04-29T04:15:10.073

Modified: 2024-11-21T06:59:56.403

Link: CVE-2022-29903

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST request to Special:PrivateDomains."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-04-29T03:44:15", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://phabricator.wikimedia.org/T306290"}, {"tags": ["x_refsource_MISC"], "url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PrivateDomains/+/783416"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-29903", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST request to Special:PrivateDomains."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://phabricator.wikimedia.org/T306290", "refsource": "MISC", "url": "https://phabricator.wikimedia.org/T306290"}, {"name": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PrivateDomains/+/783416", "refsource": "MISC", "url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PrivateDomains/+/783416"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:33:43.184Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://phabricator.wikimedia.org/T306290"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PrivateDomains/+/783416"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-29903", "datePublished": "2022-04-29T03:44:15", "dateReserved": "2022-04-29T00:00:00", "dateUpdated": "2024-08-03T06:33:43.184Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "40FFFEA4-A471-43C1-870B-10960DE725CF", "versionEndIncluding": "1.37.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST request to Special:PrivateDomains."}, {"lang": "es", "value": "La extensi\u00f3n Private Domains para MediaWiki versiones hasta 1.37.2, (anteriores a 1ad65d4c1c199b375ea80988d99ab51ae068f766) permite una vulnerabilidad de tipo CSRF para la edici\u00f3n de p\u00e1ginas que almacenan la configuraci\u00f3n de la extensi\u00f3n. El atacante debe lanzar una petici\u00f3n POST a Special:PrivateDomains"}], "id": "CVE-2022-29903", "lastModified": "2024-11-21T06:59:56.403", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-04-29T04:15:10.073", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PrivateDomains/+/783416"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://phabricator.wikimedia.org/T306290"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PrivateDomains/+/783416"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://phabricator.wikimedia.org/T306290"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}