CVE-2024-25107

Summary

CVE-2024-25107 is a newly identified XSS vulnerability affecting the WikiDiscover extension for CreateWiki managed farms. The issue lies in the `Language::date` function used to generate human-readable timestamps on Special:WikiDiscover. This function employs unescaped interface messages, which are directly passed to the output without any further escaping. By exploiting this on-wiki, an attacker with the `(editinterface)` right can inject malicious code, posing a significant security risk. Users are strongly advised to update their installations to address this vulnerability, as no known workarounds currently exist. The issue has been rectified in commit `267e763a0`.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.