CVE-2013-4302Mediawiki vulnerability

CWE-2645 documents5 sources
Severity
5.0MEDIUMNVD
EPSS
0.7%
top 28.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
MediawikiDebian Mediawiki
Timeline
PublishedOct 27
Latest updateMay 17

Description

(1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ApiMain.php, (5) ApiQueryDeletedrevs.php, (6) ApiTokens.php, and (7) ApiUnblock.php in includes/api/ in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow remote attackers to obtain CSRF tokens and bypass the cross-site request forgery (CSRF) protection mechanism via a JSONP request to wiki/api.php.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

debiandebian/mediawiki< mediawiki 1:1.19.8+dfsg-1 (bookworm)
Debianmediawiki/mediawiki< 1:1.19.8+dfsg-1+3
NVDmediawiki/mediawiki17 versions+16

Patches

Patch: lists.wikimedia.orgPatch: seclists.orgPatch: bugzilla.wikimedia.org

🔴Vulnerability Details

2
GHSA
GHSA-m76g-jmxw-8v24: (1) ApiBlock2022-05-17
OSV
CVE-2013-4302: (1) ApiBlock2013-10-27

📋Vendor Advisories

1
Debian
CVE-2013-4302: mediawiki - (1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ApiMain.php, (...2013

💬Community

1
Bugzilla
CVE-2013-4301 CVE-2013-4302 CVE-2013-4303 mediawiki: security releases 1.21.2, 1.20.7, and 1.19.82013-09-04
CVE-2013-4302 — Debian Mediawiki vulnerability | cvebase