Description

An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover.

Remediation

References

CVE-2019-12468

Related Vulnerabilities

Sqlite Out-of-bounds Write Vulnerability (CVE-2020-15358)

WordPress Plugin Accept Stripe Donation-AidWP Cross-Site Request Forgery (3.1.5)

WordPress Plugin 404 to 301-Redirect, Log and Notify 404 Errors SQL Injection (2.0.2)

WordPress Plugin Slider Revolution Responsive Local File Inclusion (4.1.4)

WordPress Plugin Simple Admin Language Change Security Bypass (2.0.1)

Severity

Critical

Classification

CVE-2019-12468 CWE-306 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities