A critical vulnerability in the DiscordNotifications extension for MediaWiki allows an attacker to make arbitrary web requests from the server, potentially leading to internal network reconnaissance and information disclosure.

The extension contains a Server-Side Request Forgery (SSRF) vulnerability. It improperly handles outbound requests made via curl and file_get_contents, allowing an attacker to force the application to send crafted requests to arbitrary internal or external destinations. The provided information does not specify the authentication level required to exploit this flaw.

A successful exploit could allow an attacker to bypass firewalls and access sensitive internal services, scan the internal network, or exfiltrate data from the server. Given the Critical CVSS score of 9.1, this vulnerability poses a significant risk to the confidentiality and integrity of the underlying server and connected network resources, potentially serving as an entry point for broader attacks.

Immediate Action: Administrators must update the DiscordNotifications extension to the latest version immediately to mitigate this vulnerability.

Proactive Monitoring: Review outbound network traffic and web server logs for unusual requests originating from the MediaWiki server, especially those targeting internal IP addresses or services.

Compensating Controls: If patching is not immediately possible, implement strict egress filtering to limit the server's outbound connections to only essential, trusted endpoints. A Web Application Firewall (WAF) may also help block malicious request patterns associated with SSRF.

Public Exploit Available: Not specified in the provided data.

This is a critical vulnerability that exposes the host server and internal network to significant risk. We strongly recommend that all administrators running the affected DiscordNotifications extension prioritize applying the vendor-supplied patch immediately. Proactive patching is the most effective way to prevent potential compromise of your MediaWiki environment and internal infrastructure.