CVE-2013-2032 — Mediawiki vulnerability

CWE-2645 documents5 sources

Severity

5.0MEDIUMNVD

EPSS

1.0%

top 22.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mediawiki Debian Mediawiki Fedoraproject Fedora

Timeline

PublishedNov 18

Latest updateMay 17

Description

MediaWiki before 1.19.6 and 1.20.x before 1.20.5 does not allow extensions to prevent password changes without using both Special:PasswordReset and Special:ChangePassword, which allows remote attackers to bypass the intended restrictions of an extension that only implements one of these blocks.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/mediawiki< mediawiki 1:1.19.6-1 (bookworm)

▶Debianmediawiki/mediawiki< 1:1.19.6-1+3

▶NVDmediawiki/mediawiki1.19.5+52

Also affects: Fedora 17, 18, 19

Patches

Patch: lists.wikimedia.org ↗Patch: bugzilla.wikimedia.org ↗Patch: lists.wikimedia.org ↗

🔴Vulnerability Details

GHSA

GHSA-jw49-q332-x9hh: MediaWiki before 1↗2022-05-17

▶

OSV

CVE-2013-2032: MediaWiki before 1↗2013-11-18

▶

📋Vendor Advisories

Debian

CVE-2013-2032: mediawiki - MediaWiki before 1.19.6 and 1.20.x before 1.20.5 does not allow extensions to pr...↗2013

▶

💬Community

Bugzilla

CVE-2013-2031 CVE-2013-2032 mediawiki: security releases 1.20.5 and 1.19.6↗2013-04-30

▶