QwikSec

Security Database

CVE

CWE

Training

CVE-2020-29007

Published: Apr 15, 2023

Modified: Feb 6, 2025

PUBLISHED

Description

The Score extension through 0.3.0 for MediaWiki has a remote code execution vulnerability due to improper sandboxing of the GNU LilyPond executable. This allows any user with an ability to edit articles (potentially including unauthenticated anonymous users) to execute arbitrary Scheme or shell code by using crafted {{Image data to generate musical scores containing malicious code.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/seqred-s-a/cve-2020-29007

https://www.mediawiki.org/wiki/Extension:Score

https://phabricator.wikimedia.org/T257062

https://seqred.pl/en/cve-2020-29007-remote-code-execution-in-mediawiki-score/

https://www.mediawiki.org/wiki/Extension:Score/2021_security_advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.