CVE-2019-19709

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions MediaWiki versions prior to 1.33.1

Description The issue allows attackers to bypass the Title blacklist protection mechanism. This can be achieved by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the "action API" when editing that page. The vulnerability is related to redirecting URLs to untrusted sites, which can allow a remote attacker to gain unauthorized access to confidential data and impact data integrity.

Recommendations For MediaWiki versions prior to 1.33.1, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting the use of the redirect=1 parameter in the action API until a patch is available.

Exploit

Fix

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-601

Related Identifiers

ALT-PU-2019-3367

ALT-PU-2020-2249

BDU:2020-01973

CVE-2019-19709

DSA-4592-1

GHSA-PJV5-VV93-P648

MGASA-2020-0021

Affected Products

Alt Linux

Mediawiki

CVE-2019-19709

Weakness Enumeration

Related Identifiers

Affected Products

References · 39