CVE-2017-0372
published 2018-04-13CVE-2017-0372: Parameters injection in the SyntaxHighlight extension of Mediawiki before 1.23.16, 1.27.3 and 1.28.2 might result in multiple vulnerabilities.
PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
11.65%
95.5th percentile
Parameters injection in the SyntaxHighlight extension of Mediawiki before 1.23.16, 1.27.3 and 1.28.2 might result in multiple vulnerabilities.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | mediawiki | < mediawiki 1:1.27.3-1 (bookworm) | mediawiki 1:1.27.3-1 (bookworm) |
| mediawiki | mediawiki | <= 1.23.15 | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | — | — |
| mediawiki | mediawiki | >= 0 < 1:1.27.3-1 | 1:1.27.3-1 |
| mediawiki | mediawiki | >= 0 < 1:1.27.3-1 | 1:1.27.3-1 |
| mediawiki | mediawiki | >= 0 < 1:1.27.3-1 | 1:1.27.3-1 |
| mediawiki | mediawiki | >= 0 < 1:1.27.3-1 | 1:1.27.3-1 |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/mediawiki_syntaxhighlight.rb↗
- →Look for injection of arbitrary options passed to the Pygments library via the SyntaxHighlight MediaWiki extension (e.g., unexpected CLI-style flags in Pygments invocations spawned by MediaWiki). ↗
- →Monitor the MediaWiki document root for newly created PHP files with user-controllable content, which may indicate successful exploitation leading to a web shell. ↗
- →Anonymous (unauthenticated) requests to MediaWiki pages using the <syntaxhighlight> tag with unusual or malformed option parameters should be treated as suspicious, as exploitation does not require authentication. ↗
- →Alert on stored XSS payloads rendered from SyntaxHighlight-processed wiki pages, which may indicate a prior successful parameter injection. ↗
- ·The USERNAME & PASSWORD options in the Metasploit module are only required when the target MediaWiki instance is configured as a private wiki; public wikis are exploitable without credentials. ↗
- ·The vulnerability is specific to MediaWiki installations with SyntaxHighlight version 2.0 installed and enabled; this extension ships bundled with the AIO package of MediaWiki 1.27.x and 1.28.x, making those deployments particularly at risk. ↗
- ·Successful RCE via arbitrary PHP file creation depends on server configuration; not all deployments will be vulnerable to code execution, though stored XSS and arbitrary file creation remain possible regardless. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2017-0372: mediawiki - Parameters injection in the SyntaxHighlight extension of Mediawiki before 1.23.1...
vendor_debian·2017·CVSS 9.8
CVE-2017-0372 [CRITICAL] CVE-2017-0372: mediawiki - Parameters injection in the SyntaxHighlight extension of Mediawiki before 1.23.1...
Parameters injection in the SyntaxHighlight extension of Mediawiki before 1.23.16, 1.27.3 and 1.28.2 might result in multiple vulnerabilities.
Scope: local
bookworm: resolved (fixed in 1:1.27.3-1)
bullseye: resolved (fixed in 1:1.27.3-1)
forky: resolved (fixed in 1:1.27.3-1)
sid: resolved (fixed in 1:1.27.3-1)
trixie: resolved (fixed in 1:1.27.3-1)
GHSA
GHSA-c759-44hj-j247: Parameters injection in the SyntaxHighlight extension of Mediawiki before 1
ghsa_unreviewed·2022-05-14
CVE-2017-0372 [CRITICAL] CWE-74 GHSA-c759-44hj-j247: Parameters injection in the SyntaxHighlight extension of Mediawiki before 1
Parameters injection in the SyntaxHighlight extension of Mediawiki before 1.23.16, 1.27.3 and 1.28.2 might result in multiple vulnerabilities.
OSV
CVE-2017-0372: Parameters injection in the SyntaxHighlight extension of Mediawiki before 1
osv·2018-04-13·CVSS 9.8
CVE-2017-0372 [CRITICAL] CVE-2017-0372: Parameters injection in the SyntaxHighlight extension of Mediawiki before 1
Parameters injection in the SyntaxHighlight extension of Mediawiki before 1.23.16, 1.27.3 and 1.28.2 might result in multiple vulnerabilities.
No detection rules found.
Bugzilla
CVE-2017-0372 mediawiki: SyntaxHighlight extension allows injection of arbitrary Pygments options
bugzilla·2017-05-04·CVSS 9.8
CVE-2017-0372 [CRITICAL] CVE-2017-0372 mediawiki: SyntaxHighlight extension allows injection of arbitrary Pygments options
CVE-2017-0372 mediawiki: SyntaxHighlight extension allows injection of arbitrary Pygments options
A vulnerability was found in the SyntaxHighlight MediaWiki extension.
Using this vulnerability it is possible for an anonymous attacker to
pass arbitrary options to the Pygments library. By specifying specially
crafted options, it is possible for an attacker to trigger a (stored)
Cross-Site Scripting condition. In addition, it allows the creating of
arbitrary files containing user-controllable data. Depending on the
server configuration, this can be used by an anonymous attacker to
execute arbitrary PHP code.
Upstream bug:
https://phabricator.wikimedia.org/T158689
References:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000209.html
http://seclists.org/fulldisclosure
Bugzilla
CVE-2017-0372 mediawiki: SyntaxHighlight extension allows injection of arbitrary Pygments options [fedora-all]
bugzilla·2017-05-04·CVSS 9.8
CVE-2017-0372 [CRITICAL] CVE-2017-0372 mediawiki: SyntaxHighlight extension allows injection of arbitrary Pygments options [fedora-all]
CVE-2017-0372 mediawiki: SyntaxHighlight extension allows injection of arbitrary Pygments options [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue af
Bugzilla
CVE-2017-0372 mediawiki119: mediawiki: SyntaxHighlight extension allows injection of arbitrary Pygments options [epel-6]
bugzilla·2017-05-04·CVSS 9.8
CVE-2017-0372 [CRITICAL] CVE-2017-0372 mediawiki119: mediawiki: SyntaxHighlight extension allows injection of arbitrary Pygments options [epel-6]
CVE-2017-0372 mediawiki119: mediawiki: SyntaxHighlight extension allows injection of arbitrary Pygments options [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Bugzilla
CVE-2017-0372 mediawiki123: mediawiki: SyntaxHighlight extension allows injection of arbitrary Pygments options [epel-7]
bugzilla·2017-05-04·CVSS 9.8
CVE-2017-0372 [CRITICAL] CVE-2017-0372 mediawiki123: mediawiki: SyntaxHighlight extension allows injection of arbitrary Pygments options [epel-7]
CVE-2017-0372 mediawiki123: mediawiki: SyntaxHighlight extension allows injection of arbitrary Pygments options [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
https://bugs.debian.org/861585https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.htmlhttps://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000209.htmlhttps://phabricator.wikimedia.org/T158689https://security-tracker.debian.org/tracker/CVE-2017-0372https://bugs.debian.org/861585https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.htmlhttps://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000209.htmlhttps://phabricator.wikimedia.org/T158689https://security-tracker.debian.org/tracker/CVE-2017-0372
2018-04-13
Published