CVE-2021-35197

Name of the Vulnerable Software and Affected Versions MediaWiki versions 1.31.15 and earlier MediaWiki versions 1.32.x through 1.35.x before 1.35.3 MediaWiki versions 1.36.x before 1.36.1

Description The issue concerns unintended API access for bots in MediaWiki. When a bot account has a "sitewide block" applied, it can still "purge" pages through the MediaWiki Action API, which should have been prevented by the block. This could potentially allow a remote attacker to impact data integrity.

Recommendations For MediaWiki versions 1.31.15 and earlier, update to version 1.31.15 or later. For MediaWiki versions 1.32.x through 1.35.x before 1.35.3, update to version 1.35.3 or later. For MediaWiki versions 1.36.x before 1.36.1, update to version 1.36.1 or later. As a temporary workaround, consider restricting access to the MediaWiki Action API for bot accounts with a "sitewide block" applied.