CVE-2024-47816

Users can impersonate import requesters if their actor IDs coincide in ImportDump

Description

ImportDump is a mediawiki extension designed to automate user import requests. A user's local actor ID is stored in the database to tell who made what requests. Therefore, if a user on another wiki happens to have the same actor ID as someone on the central wiki, the user on the other wiki can act as if they're the original wiki requester. This can be abused to create new comments, edit the request, and view the request if it's marked private. This issue has been addressed in commit `5c91dfc` and all users are advised to update. Users unable to update may disable the special page outside of their global wiki. See `miraheze/mw-config@e566499` for details on that.

Category

6.4
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.08%
Affected: miraheze ImportDump
Published at:
Updated at:

References

Link Tags
https://github.com/miraheze/ImportDump/security/advisories/GHSA-jjmq-mg36-6387
https://github.com/miraheze/ImportDump/commit/5c91dfce78320e717516ee65ef5a05f01979ee6c
https://github.com/miraheze/mw-config/commit/e5664995fbb8644f9a80b450b4326194f20f9ddc
https://issue-tracker.miraheze.org/T12701

Frequently Asked Questions

What is the severity of CVE-2024-47816?
CVE-2024-47816 has been scored as a medium severity vulnerability.
How to fix CVE-2024-47816?
To fix CVE-2024-47816, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-47816 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-47816 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-47816?
CVE-2024-47816 affects miraheze ImportDump.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.