Improper access control in MediaWiki - CVE-2012-4380
Published: October 19, 2017 / Updated: August 8, 2020
Vulnerability identifier: #VU38027
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2012-4380
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: MediaWiki.org
Affected software:
MediaWiki
MediaWiki
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to manipulate data.
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 allows remote attackers to bypass GlobalBlocking extension IP address blocking and create an account via unspecified vectors.
How to mitigate CVE-2012-4380
Install update from vendor's website.
Sources
- http://www.openwall.com/lists/oss-security/2012/08/31/10
- http://www.openwall.com/lists/oss-security/2012/08/31/6
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330
- https://bugzilla.redhat.com/show_bug.cgi?id=853440
- https://lists.wikimedia.org/pipermail/mediawiki-announce/2012-August/000119.html
- https://phabricator.wikimedia.org/T41824