vulnerability
MediaWiki: CVE-2023-3550: Improper Neutralization of Input During Web Page Generation
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:M/Au:S/C:C/I:C/A:N) | Sep 25, 2023 | Sep 28, 2023 | May 6, 2026 |
Severity
8
CVSS
(AV:N/AC:M/Au:S/C:C/I:C/A:N)
Published
Sep 25, 2023
Added
Sep 28, 2023
Modified
May 6, 2026
Description
Mediawiki v1.40.0 does not validate namespaces used in XML files.
Therefore, if the instance administrator allows XML file uploads,
a remote attacker with a low-privileged user account can use this
exploit to become an administrator by sending a malicious link to
the instance administrator.
Therefore, if the instance administrator allows XML file uploads,
a remote attacker with a low-privileged user account can use this
exploit to become an administrator by sending a malicious link to
the instance administrator.
Solution
mediawiki-upgrade-latest
References
- CVE-2023-3550
- https://attackerkb.com/topics/CVE-2023-3550
- https://fluidattacks.com/advisories/blondie/
- https://lists.debian.org/debian-lts-announce/2023/11/msg00027.html
- https://lists.fedoraproject.org/archives/list/[email protected]/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISY/
- https://www.debian.org/security/2023/dsa-5520
- https://www.mediawiki.org/wiki/MediaWiki/
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2023-44206
- CWE-79
- EUVD-EUVD-2023-44206
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.