Description

The DynamicPageList3 extension is a reporting tool for MediaWiki, listing category members and intersections with various formats and details. In affected versions unsanitised input of regular expression date within the parameters of the DPL parser function, allowed for the possibility of ReDoS (Regex Denial of Service). This has been resolved in version 3.3.6. If you are unable to update you may also set `$wgDplSettings['functionalRichness'] = 0;` or disable DynamicPageList3 to mitigate.

Related CPE's

a

dynamicpagelist3_project

dynamicpagelist3

*

*

*

*

*

mediawiki

Vulnerable

References

https://github.com/Universal-Omega/DynamicPageList3/commit/2c04dafb37a14d9ccfe070f53e7f11bbca0156e7

PatchThird Party Advisory

https://github.com/Universal-Omega/DynamicPageList3/releases/tag/3.3.6

Release NotesThird Party Advisory

https://github.com/Universal-Omega/DynamicPageList3/security/advisories/GHSA-8f24-q75c-jhf4

MitigationThird Party Advisory

Weaknesses

[email protected]

Primary
CWE-400

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5 · High

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2021-10-04T19:15:08.570

3 years ago

Last modified

2021-10-12T19:31:03.497

3 years ago