CVE-2020-35623

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions MediaWiki CasAuth extension versions through 1.35.1

Description An issue was discovered due to improper username validation, allowing user impersonation with trivial manipulations of certain characters within a given username. An ordinary user may be able to login as a "bureaucrat user" who has a similar username, as demonstrated by usernames that differ only in bidirectional override symbols or blank space.

Recommendations For MediaWiki CasAuth extension versions through 1.35.1, update to a version that fixes the improper username validation issue to prevent user impersonation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-706CWE-20

Related Identifiers

ALT-PU-2021-1712

ALT-PU-2021-2091

BIT-MEDIAWIKI-2020-35623

CVE-2020-35623

Affected Products

Alt Linux

Mediawiki Casauth Extension

CVE-2020-35623

Weakness Enumeration

Related Identifiers

Affected Products

References · 6