CVE-2010-1150 — Cross-Site Request Forgery in Mediawiki

CWE-352 — Cross-Site Request Forgery6 documents6 sources

Severity

6.0MEDIUMNVD

EPSS

0.4%

top 38.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mediawiki Debian Mediawiki

Timeline

PublishedApr 20

Latest updateMay 2

Description

MediaWiki before 1.15.3, and 1.6.x before 1.16.0beta2, does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to conduct phishing attacks by arranging for a victim to login to the attacker's account and then execute a crafted user script, related to a "login CSRF" issue.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 6.8 | Impact: 6.4

Affected Packages3 packages

▶debiandebian/mediawiki< mediawiki 1:1.15.3-1 (bookworm)

▶Debianmediawiki/mediawiki< 1:1.15.3-1+3

▶NVDmediawiki/mediawiki1.15.2+53

Patches

Patch: download.wikimedia.org ↗Patch: download.wikimedia.org ↗Patch: lists.wikimedia.org ↗

🔴Vulnerability Details

GHSA

GHSA-8fhg-54m9-q37r: MediaWiki before 1↗2022-05-02

▶

OSV

CVE-2010-1150: MediaWiki before 1↗2010-04-20

▶

📋Vendor Advisories

Red Hat

v.1.15.3: Login CSRF↗2010-04-06

▶

Debian

CVE-2010-1150: mediawiki - MediaWiki before 1.15.3, and 1.6.x before 1.16.0beta2, does not properly handle ...↗2010

▶

💬Community

Bugzilla

CVE-2010-1150 MediaWiki v.1.15.3: Login CSRF↗2010-04-08

▶