CVE-2021-44856

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions MediaWiki versions 1.35.5 and earlier, 1.36.x before 1.36.3, 1.37.x before 1.37.1

Description The issue is related to the mishandling of the EditFilterMergedContent hook return value in the Special:ChangeContentModel function. This can allow a title blocked by AbuseFilter to be created, potentially affecting the confidentiality, integrity, and availability of protected information.

Recommendations For MediaWiki versions 1.35.5 and earlier, update to version 1.35.5 or later. For MediaWiki versions 1.36.x before 1.36.3, update to version 1.36.3 or later. For MediaWiki versions 1.37.x before 1.37.1, update to version 1.37.1 or later. As a temporary workaround, consider restricting access to the Special:ChangeContentModel function until a patch is available.

Fix

Improper Check for Exceptional Conditions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-754CWE-254

Related Identifiers

ALT-PU-2021-3561

ALT-PU-2022-1199

BDU:2022-06191

BIT-MEDIAWIKI-2021-44856

CVE-2021-44856

DLA-3117-1

DSA-5246-1

MGASA-2021-0568

Affected Products

Alt Linux

Mediawiki

CVE-2021-44856

Weakness Enumeration

Related Identifiers

Affected Products

References · 22