CVE-2013-4306
Description
Cross-site request forgery (CSRF) vulnerability in api/ApiQueryCheckUser.php in the CheckUser extension for MediaWiki, possibly Checkuser before 2.3, allows remote attackers to hijack the authentication of arbitrary users for requests that "perform sensitive write actions" via unspecified vectors.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: secalert@redhat.com — https://git.wikimedia.org/commit/mediawiki%2Fextensions%2FCheckUser.git/99ad25d066ce6111e798427cba7f21526827f651
Vendor advisory: secalert@redhat.com — https://bugzilla.wikimedia.org/show_bug.cgi?id=45019
Vendor advisory: secalert@redhat.com — http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| mediawiki | mediawiki | {"startIncluding":"1.19.0","endExcluding":"1.19.8"} | 1.19.8 |
References
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html
- http://osvdb.org/96908
- http://seclists.org/oss-sec/2013/q3/553
- http://www.securityfocus.com/bid/62210
- https://bugzilla.wikimedia.org/show_bug.cgi?id=45019
- https://exchange.xforce.ibmcloud.com/vulnerabilities/86893
- https://git.wikimedia.org/commit/mediawiki%2Fextensions%2FCheckUser.git/99ad25d066ce6111e798427cba7f21526827f651
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html
- http://osvdb.org/96908
- http://seclists.org/oss-sec/2013/q3/553
- http://www.securityfocus.com/bid/62210
- https://bugzilla.wikimedia.org/show_bug.cgi?id=45019
- https://exchange.xforce.ibmcloud.com/vulnerabilities/86893
- https://git.wikimedia.org/commit/mediawiki%2Fextensions%2FCheckUser.git/99ad25d066ce6111e798427cba7f21526827f651
CWEs
CWE-352
Verify integrity in audit chain (admin only). AS-IS.