CVE-2023-45373 : Security Advisory and Response

An issue was discovered in the ProofreadPage extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. XSS can occur via formatNumNoSeparators.

Understanding CVE-2023-45373

This CVE highlights a vulnerability in the ProofreadPage extension for multiple versions of MediaWiki.

What is CVE-2023-45373?

CVE-2023-45373 points out a cross-site scripting (XSS) vulnerability that can be exploited through the formatNumNoSeparators function in the ProofreadPage extension.

The Impact of CVE-2023-45373

This vulnerability could allow an attacker to execute malicious scripts in the context of the user's session on the affected MediaWiki instances, potentially leading to unauthorized actions or data theft.

Technical Details of CVE-2023-45373

The following technical details provide more insight into the CVE.

Vulnerability Description

The vulnerability arises from improper input validation in the ProofreadPage extension, enabling attackers to inject and execute malicious scripts.

Affected Systems and Versions

MediaWiki versions before 1.35.12
MediaWiki versions 1.36.x through 1.39.x before 1.39.5
MediaWiki versions 1.40.x before 1.40.1

Exploitation Mechanism

Attackers can exploit this vulnerability by crafting malicious input that gets processed by the formatNumNoSeparators function, leading to XSS attacks.

Mitigation and Prevention

Protecting systems from CVE-2023-45373 involves implementing the following measures.

Immediate Steps to Take

Update the ProofreadPage extension to the latest secure version.
Apply security patches provided by MediaWiki promptly.

Long-Term Security Practices

Regularly monitor and audit extensions for security vulnerabilities.
Educate users on safe practices to mitigate XSS risks.

Patching and Updates

Stay proactive in applying security updates and patches to mitigate the risk of similar vulnerabilities in the future.