Arbitrary Execution of Wiki Pages as Widgets in MediaWiki

Arbitrary Execution of Wiki Pages as Widgets in MediaWiki

CVE-2020-9382 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's {{#widget:}} parser function.

Learn more about our Web Application Penetration Testing UK.