CVE-2013-4304

Name of the Vulnerable Software and Affected Versions MediaWiki CentralAuth extension versions 1.19.x through 1.19.7 MediaWiki CentralAuth extension versions 1.20.x through 1.20.6 MediaWiki CentralAuth extension versions 1.21.x through 1.21.1

Description The issue allows remote attackers to bypass authentication without a password by exploiting a caching mechanism in the CentralAuth extension. This occurs because a valid CentralAuthUser object is cached in the centralauth User cookie even when a user has not successfully logged in.

Recommendations For MediaWiki CentralAuth extension versions 1.19.x through 1.19.7, update to version 1.19.8 or later. For MediaWiki CentralAuth extension versions 1.20.x through 1.20.6, update to version 1.20.7 or later. For MediaWiki CentralAuth extension versions 1.21.x through 1.21.1, update to version 1.21.2 or later.