CVE-2024-47612 in DataDump
Summary
by MITRE • 10/02/2024
DataDump is a MediaWiki extension that provides dumps of wikis. Several interface messages are unescaped (more specifically, (datadump-table-column-queued), (datadump-table-column-in-progress), (datadump-table-column-completed), (datadump-table-column-failed)). If these messages are edited (which requires the (editinterface) right by default), anyone who can view Special:DataDump (which requires the (view-dump) right by default) can be XSSed. This vulnerability is fixed with 601688ee8e8808a23b102fa305b178f27cbd226d.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/08/2025
The CVE-2024-47612 vulnerability affects the DataDump MediaWiki extension, which is designed to provide wiki dump functionality for administrators and users. This extension creates interface messages that are used to display status information about dump operations including queued, in-progress, completed, and failed states. The vulnerability stems from improper handling of these interface messages within the user-facing Special:DataDump page, where the messages are rendered without adequate HTML escaping or sanitization. The flaw specifically impacts four interface message keys: datadump-table-column-queued, datadump-table-column-in-progress, datadump-table-column-completed, and datadump-table-column-failed.
The technical exploitation of this vulnerability relies on the principle of cross-site scripting attacks where malicious actors can inject arbitrary JavaScript code through the interface message fields. The vulnerability requires two distinct permission levels to be exploited effectively: users must possess the view-dump right to access the Special:DataDump page and the editinterface right to modify the vulnerable interface messages. This dual permission requirement creates a specific attack vector where an attacker with sufficient privileges could modify the interface messages to include malicious payloads. The vulnerability represents a classic case of insufficient output escaping, where user-controllable data is directly rendered into HTML contexts without proper sanitization, making it susceptible to XSS exploitation.
The operational impact of CVE-2024-47612 extends beyond simple script execution as it allows attackers to potentially hijack user sessions, steal sensitive information, or perform actions on behalf of authenticated users. The vulnerability affects the integrity of the MediaWiki interface and could enable attackers to manipulate the display of dump statuses, potentially confusing administrators or masking malicious activities. The attack surface is particularly concerning in environments where multiple users have access to the Special:DataDump page, as any user with the appropriate permissions could become a vector for XSS attacks. This vulnerability aligns with CWE-79, which specifically addresses Cross-Site Scripting flaws in web applications, and can be mapped to ATT&CK technique T1566.001 for initial access through malicious web content.
Mitigation strategies for this vulnerability include immediate application of the patch referenced in commit 601688ee8e8808a23b102fa305b178f27cbd226d, which implements proper escaping of interface messages before rendering them in the user interface. Administrators should also review and restrict permissions for both the editinterface and view-dump rights to minimize the attack surface. The recommended approach involves implementing proper HTML escaping mechanisms for all user-controllable interface messages and ensuring that any data rendered in HTML contexts undergoes appropriate sanitization. Additionally, organizations should consider implementing Content Security Policy headers to provide additional defense-in-depth against potential XSS exploitation attempts, though this should not replace proper input validation and output escaping mechanisms.