Primehunter

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions 1.31.0 through 1.31.11 MediaWiki versions 1.32.x through 1.35.1 **Description** An issue in MediaWiki allows users to bypass intended restrictions on deleting pages in certain "fast double move" situations. The `MovePage::isValidMoveTarget()` function uses FOR UPDATE, but it's only called if `Title::getArticleID()` returns non-zero with no special flags. Next, `MovePage::moveToInternal()` will delete the page if `getArticleID(READ LATEST)` is non-zero. Therefore, if the page is missing in the replica DB, `isValidMove()` will return true, and then `moveToInternal()` will unconditionally delete the page if it can be found in the master. This is related to insufficient access control in the `MovePage::isValidMoveTarget()`, `Title::getArticleID()`, and `MovePage::moveToInternal()` functions. **Recommendations** For MediaWiki versions 1.31.0 through 1.31.11, update to version 1.31.12 or later. For MediaWiki versions 1.32.x through 1.35.1, update to version 1.35.2 or later. As a temporary workaround, consider restricting access to the `MovePage::moveToInternal()` function until a patch is available. Avoid using the `Title::getArticleID()` function with no special flags in the affected API endpoints until the issue is resolved.