CVE-2021-44857

Published: Dec 17, 2021Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=mcrundo followed by action=mcrrestore to replace the content of any arbitrary page (that the user doesn't have edit rights for). This applies to any public wiki, or a private wiki that has at least one page set in $wgWhitelistRead.

Affected (3)

Products: Mediawiki: Mediawiki

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Mediawiki Mediawiki	Before 1.35.5
Mediawiki Mediawiki	From 1.36.0 to 1.36.3
Mediawiki Mediawiki	From 1.37.0 to 1.37.1

Related CWEs

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (6)

https://phabricator.wikimedia.org/T297322

Source: cve@mitre.org

Third Party Advisory

https://security.gentoo.org/glsa/202305-24

Source: cve@mitre.org

https://www.mediawiki.org/wiki/2021-12_security_release/FAQ

Source: cve@mitre.org

Vendor Advisory

https://phabricator.wikimedia.org/T297322

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://security.gentoo.org/glsa/202305-24

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.mediawiki.org/wiki/2021-12_security_release/FAQ

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.