PT-2020-17373 · Wikimedia+2 · Mediawiki+2
Ashley
·
Published
2020-12-21
·
Updated
2024-03-06
·
CVE-2020-35626
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
MediaWiki versions through 1.35.1
PushToWatch extension for MediaWiki versions through 1.35.1
Description
An issue was discovered in the PushToWatch extension for MediaWiki. The primary form did not implement an anti-CSRF token, making it vulnerable to CSRF attacks against
onSkinAddFooterLinks in PushToWatch.php.Recommendations
For MediaWiki versions through 1.35.1, consider implementing an anti-CSRF token in the primary form to prevent CSRF attacks.
For the PushToWatch extension, restrict access to
onSkinAddFooterLinks in PushToWatch.php until a patch is available.
As a temporary workaround, consider disabling the onSkinAddFooterLinks function in PushToWatch.php to minimize the risk of exploitation.Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Mediawiki
Pushtowatch Extension