CVE-2024-23172 is a cross-site scripting (XSS) vulnerability identified in the CheckUser extension of MediaWiki, affecting versions prior to 1.35.14, all 1.36.x through 1.39.x versions before 1.39.6, and 1.40.x versions before 1.40.2. The vulnerability arises from improper sanitization of message definitions, particularly exploitable in the SpecialCheckUserLog feature. This flaw allows an attacker with limited privileges (requires some level of authentication) to inject malicious scripts that execute in the context of an authenticated user’s browser session. The CVSS 3.1 base score is 5.4, reflecting a medium severity level, with attack vector being network-based, low attack complexity, requiring privileges, and user interaction. The scope is changed, indicating that the vulnerability affects components beyond the initially vulnerable part, potentially impacting other parts of the system. The impact primarily affects confidentiality and integrity, allowing attackers to steal sensitive information or perform actions on behalf of legitimate users. Availability is not impacted. No known exploits are currently reported in the wild, but the presence of this vulnerability in widely used MediaWiki installations, especially those employing the CheckUser extension for user monitoring and administrative tasks, makes it a notable risk. The CWE-79 classification confirms this as a classic XSS vulnerability, which can be leveraged for session hijacking, phishing, or privilege escalation within the MediaWiki environment.

For European organizations, the impact of CVE-2024-23172 can be significant, especially for those relying on MediaWiki platforms for internal knowledge bases, documentation, or public-facing wikis. The CheckUser extension is often used by administrators to monitor user activity and detect abuse, so exploitation could undermine trust in administrative controls and lead to unauthorized disclosure of user data or administrative actions. Confidentiality breaches could expose sensitive organizational information or user credentials. Integrity impacts could allow attackers to manipulate logs or user data, complicating incident response and forensic investigations. Although availability is not directly affected, the reputational damage and potential regulatory consequences under GDPR for data leakage could be substantial. Organizations in sectors such as government, education, and large enterprises that use MediaWiki extensively are particularly at risk. The requirement for user interaction and privileges limits the attack surface but does not eliminate risk, especially in environments with many authenticated users or where social engineering could be used to trigger the vulnerability.

To mitigate CVE-2024-23172, organizations should promptly update the CheckUser extension to the fixed versions: 1.35.14 or later, 1.39.6 or later, and 1.40.2 or later. If immediate patching is not feasible, administrators should restrict access to the SpecialCheckUserLog feature to the minimum necessary set of trusted users and implement strict Content Security Policy (CSP) headers to limit the execution of injected scripts. Additionally, review and sanitize all user-generated content and message definitions rigorously. Employ web application firewalls (WAFs) with rules targeting XSS payloads specific to MediaWiki patterns. Conduct regular security audits and user activity monitoring to detect anomalous behavior indicative of exploitation attempts. Educate users about phishing and social engineering risks that could facilitate exploitation. Finally, maintain comprehensive logging and incident response plans to quickly identify and remediate any successful attacks.