CVE-2020-35623

An issue was discovered in the CasAuth extension for MediaWiki through 1.35.1. Due to improper username validation, it allowed user impersonation with trivial manipulations of certain characters within a given username. An ordinary user may be able to login as a "bureaucrat user" who has a similar username, as demonstrated by usernames that differ only in (1) bidirectional override symbols or (2) blank space.
References
Link Resource
https://github.com/CWRUChielLab/CASAuth/pull/11 Patch Third Party Advisory
https://phabricator.wikimedia.org/T263498 Exploit Third Party Advisory
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*

Information

Published : 2020-12-21 15:15

Updated : 2021-07-21 04:39


NVD link : CVE-2020-35623

Mitre link : CVE-2020-35623


JSON object : View

CWE
CWE-706

Use of Incorrectly-Resolved Name or Reference

CWE-20

Improper Input Validation

Advertisement

dedicated server usa

Products Affected

mediawiki

  • mediawiki