CVE-2022-24813 in CreateWiki
Summary
by MITRE • 04/04/2022
CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. Without the patch for this issue, anonymous comments can be made using Special:RequestWikiQueue when sent directly via POST. A patch for this issue is available in the `master` branch of CreateWiki's GitHub repository.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/06/2022
The vulnerability identified as CVE-2022-24813 affects CreateWiki, a MediaWiki extension developed by Miraheze for managing wiki creation requests. This extension operates within the Special:RequestWikiQueue interface, which allows users to submit requests for new wiki instances. The flaw resides in the extension's handling of anonymous comment submissions, creating a significant security gap that could be exploited by malicious actors. The vulnerability specifically impacts the POST request processing mechanism, where anonymous users can bypass intended access controls and submit comments directly to the system.
The technical implementation flaw stems from insufficient input validation and access control enforcement within the CreateWiki extension's comment submission functionality. When users submit comments through Special:RequestWikiQueue, the system fails to properly verify whether the submitting user possesses the necessary permissions to make comments. This weakness allows anonymous users to craft and send POST requests directly to the comment submission endpoint without proper authentication or authorization checks. The vulnerability operates at the application layer, specifically affecting the extension's API endpoint handling and user permission validation mechanisms.
The operational impact of this vulnerability extends beyond simple comment submission, as it represents a broader access control failure that could potentially enable more sophisticated attacks. An attacker could exploit this vulnerability to flood the system with unwanted comments, potentially disrupting legitimate user interactions or creating denial-of-service conditions. The vulnerability also raises concerns about data integrity and system auditability, as anonymous comments could be used to manipulate or obscure legitimate user activities. This issue particularly affects collaborative environments where maintaining clear attribution of user actions is critical for system governance and security monitoring.
Security practitioners should implement immediate mitigations including applying the patch available in CreateWiki's master branch on GitHub, which addresses the core access control validation issue. Organizations should also review their MediaWiki configurations to ensure proper authentication enforcement and implement additional monitoring for unusual comment submission patterns. The vulnerability aligns with CWE-284 Access Control Issues, specifically focusing on insufficient access control mechanisms and improper authorization checks. From an ATT&CK perspective, this weakness maps to T1078 Valid Accounts and T1566 Phishing, as it enables unauthorized access through potentially compromised accounts or direct system exploitation. Organizations should also consider implementing rate limiting and input sanitization measures to further reduce the attack surface and prevent abuse of the comment submission functionality.