PT-2020-14240 · Mediawiki · Scratch Login

Apple502J

Published

2020-08-28

Updated

2021-11-18

CVE-2020-15164

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Scratch Login (MediaWiki extension) versions prior to 1.1

Description The issue allows any account to be logged into by using the same username with leading, trailing, or repeated underscore(s), as these are treated as whitespace and trimmed by MediaWiki. This affects all users on any wiki using the Scratch Login extension.

Recommendations For versions prior to 1.1, update to version 1.1 or later to resolve the issue.

Fix

Improper Authentication

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-74

Related Identifiers

CVE-2020-15164

GHSA-8FQ5-G4M5-6J43

Affected Products

Scratch Login

PT-2020-14240 · Mediawiki · Scratch Login

CVE-2020-15164

Weakness Enumeration

Related Identifiers

Affected Products

References · 4