Sitic

**Name of the Vulnerable Software and Affected Versions** MediaWiki OAuth extension (affected versions not specified) **Description** The issue concerns the OAuth extension for MediaWiki, where it improperly negotiates a new client token. This allows attackers to bypass intended IP address access restrictions by making an API request with an existing token to the "/Special:OAuth/initiate" endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MediaWiki Extension:OAuth versions 1.25.x before 1.25.3 MediaWiki Extension:OAuth versions 1.24.x before 1.24.4 MediaWiki Extension:OAuth versions prior to 1.23.11 **Description** The issue concerns the MWOAuthDataStore::lookup token function in MediaWiki's Extension:OAuth, which fails to properly validate the signature when checking the authorization signature. This allows remote registered Consumers to use another Consumer's credentials by leveraging knowledge of the credentials. **Recommendations** For MediaWiki Extension:OAuth versions 1.25.x before 1.25.3, update to version 1.25.3 or later. For MediaWiki Extension:OAuth versions 1.24.x before 1.24.4, update to version 1.24.4 or later. For MediaWiki Extension:OAuth versions prior to 1.23.11, update to version 1.23.11 or later.