PT-2023-8949 · Mediawiki+2 · Mediawiki Sportsteams Extension+2
Ashley
·
Published
2023-10-08
·
Updated
2024-09-19
·
CVE-2023-45370
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
MediaWiki SportsTeams extension versions prior to 1.35.12
MediaWiki SportsTeams extension versions 1.36.x through 1.39.x before 1.39.5
MediaWiki SportsTeams extension versions 1.40.x before 1.40.1
Description
An issue was discovered in the SportsTeams extension for MediaWiki. The
Special:SportsManagerLogo and Special:SportsTeamsManagerLogo pages do not check for the sportsteamsmanager user right, allowing an attacker to affect pages concerned with sports teams. This is related to a lack of permission checks.Recommendations
For MediaWiki SportsTeams extension versions prior to 1.35.12, update to version 1.35.12 or later.
For MediaWiki SportsTeams extension versions 1.36.x through 1.39.x, update to version 1.39.5 or later.
For MediaWiki SportsTeams extension versions 1.40.x before 1.40.1, update to version 1.40.1 or later.
As a temporary workaround, consider restricting access to the
Special:SportsManagerLogo and Special:SportsTeamsManagerLogo pages until a patch is available.Fix
Missing Authorization
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Mediawiki Sportsteams Extension
Red Os