← back
CVE-2013-4304

CVE-2013-4304

EPSS 2.1%
The CentralAuth extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 caches a valid CentralAuthUser object in the centralauth_User cookie even when a user has not successfully logged in, which allows remote attackers to bypass authentication without a password.
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.htmlhttp://osvdb.org/96910https://bugzilla.wikimedia.org/show_bug.cgi?id=52338http://seclists.org/oss-sec/2013/q3/553http://secunia.com/advisories/54723https://exchange.xforce.ibmcloud.com/vulnerabilities/86894