vulnerability

MediaWiki: Improper Input Validation (CVE-2020-35623)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:L/Au:N/C:N/I:P/A:N)	Dec 21, 2020	Dec 29, 2020	Aug 5, 2021

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:P/A:N)

Published

Dec 21, 2020

Added

Dec 29, 2020

Modified

Aug 5, 2021

Description

An issue was discovered in the CasAuth extension for MediaWiki through 1.35.1. Due to improper username validation, it allowed user impersonation with trivial manipulations of certain characters within a given username. An ordinary user may be able to login as a "bureaucrat user" who has a similar username, as demonstrated by usernames that differ only in (1) bidirectional override symbols or (2) blank space.

Solution

mediawiki-upgrade-latest

References

CVE-2020-35623
https://attackerkb.com/topics/CVE-2020-35623
URL-https://github.com/CWRUChielLab/CASAuth/pull/11
URL-https://phabricator.wikimedia.org/T263498

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today