cbcvebase.
CVE-2017-0372
published 2018-04-13

CVE-2017-0372: Parameters injection in the SyntaxHighlight extension of Mediawiki before 1.23.16, 1.27.3 and 1.28.2 might result in multiple vulnerabilities.

PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
11.65%
95.5th percentile
Parameters injection in the SyntaxHighlight extension of Mediawiki before 1.23.16, 1.27.3 and 1.28.2 might result in multiple vulnerabilities.

Affected

14 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianmediawiki< mediawiki 1:1.27.3-1 (bookworm)mediawiki 1:1.27.3-1 (bookworm)
mediawikimediawiki<= 1.23.15
mediawikimediawiki
mediawikimediawiki
mediawikimediawiki
mediawikimediawiki
mediawikimediawiki
mediawikimediawiki
mediawikimediawiki>= 0 < 1:1.27.3-11:1.27.3-1
mediawikimediawiki>= 0 < 1:1.27.3-11:1.27.3-1
mediawikimediawiki>= 0 < 1:1.27.3-11:1.27.3-1
mediawikimediawiki>= 0 < 1:1.27.3-11:1.27.3-1

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/mediawiki_syntaxhighlight.rb
  • Look for injection of arbitrary options passed to the Pygments library via the SyntaxHighlight MediaWiki extension (e.g., unexpected CLI-style flags in Pygments invocations spawned by MediaWiki).
  • Monitor the MediaWiki document root for newly created PHP files with user-controllable content, which may indicate successful exploitation leading to a web shell.
  • Anonymous (unauthenticated) requests to MediaWiki pages using the <syntaxhighlight> tag with unusual or malformed option parameters should be treated as suspicious, as exploitation does not require authentication.
  • Alert on stored XSS payloads rendered from SyntaxHighlight-processed wiki pages, which may indicate a prior successful parameter injection.
  • ·The USERNAME & PASSWORD options in the Metasploit module are only required when the target MediaWiki instance is configured as a private wiki; public wikis are exploitable without credentials.
  • ·The vulnerability is specific to MediaWiki installations with SyntaxHighlight version 2.0 installed and enabled; this extension ships bundled with the AIO package of MediaWiki 1.27.x and 1.28.x, making those deployments particularly at risk.
  • ·Successful RCE via arbitrary PHP file creation depends on server configuration; not all deployments will be vulnerable to code execution, though stored XSS and arbitrary file creation remain possible regardless.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.