CVE-2021-44857

Name of the Vulnerable Software and Affected Versions: MediaWiki versions prior to 1.35.5 MediaWiki versions 1.36.x prior to 1.36.3 MediaWiki versions 1.37.x prior to 1.37.1

Description: An issue allows replacing the content of any arbitrary page using action=mcrundo followed by action=mcrrestore, even if the user does not have edit rights for that page. This issue affects any public wiki or a private wiki with at least one page set in $wgWhitelistRead.

Recommendations: For MediaWiki versions prior to 1.35.5, update to version 1.35.5 or later. For MediaWiki versions 1.36.x prior to 1.36.3, update to version 1.36.3 or later. For MediaWiki versions 1.37.x prior to 1.37.1, update to version 1.37.1 or later. As a temporary workaround, consider restricting access to the action=mcrundo and action=mcrrestore actions until a patch is applied.