CVE-2013-4306

Cross-site request forgery (CSRF) vulnerability in api/ApiQueryCheckUser.php in the CheckUser extension for MediaWiki, possibly Checkuser before 2.3, allows remote attackers to hijack the authentication of arbitrary users for requests that "perform sensitive write actions" via unspecified vectors.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.securityfocus.com/bid/62210	Third Party Advisory VDB Entry
http://seclists.org/oss-sec/2013/q3/553	Mailing List Third Party Advisory
http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html	Patch
https://bugzilla.wikimedia.org/show_bug.cgi?id=45019	Issue Tracking Patch
https://git.wikimedia.org/commit/mediawiki%2Fextensions%2FCheckUser.git/99ad25d066ce6111e798427cba7f21526827f651	Patch
http://osvdb.org/96908	Broken Link
https://exchange.xforce.ibmcloud.com/vulnerabilities/86893	VDB Entry

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mediawiki:mediawiki::::::::
	cpe:2.3:a:mediawiki:mediawiki::::::::
	cpe:2.3:a:mediawiki:mediawiki::::::::

History

No history.

Information

Published : 2013-10-11 21:55

Updated : 2019-07-18 12:27

NVD link : CVE-2013-4306

Mitre link : CVE-2013-4306

JSON object : View

Products Affected

mediawiki

mediawiki

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.securityfocus.com/bid/62210", "name": "62210", "tags": ["Third Party Advisory", "VDB Entry"], "refsource": "BID"}, {"url": "http://seclists.org/oss-sec/2013/q3/553", "name": "[oss-security] 20130904 Re: CVE request: MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "MLIST"}, {"url": "http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html", "name": "[MediaWiki-announce] 20130903 MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8", "tags": ["Patch"], "refsource": "MLIST"}, {"url": "https://bugzilla.wikimedia.org/show_bug.cgi?id=45019", "name": "https://bugzilla.wikimedia.org/show_bug.cgi?id=45019", "tags": ["Issue Tracking", "Patch"], "refsource": "CONFIRM"}, {"url": "https://git.wikimedia.org/commit/mediawiki%2Fextensions%2FCheckUser.git/99ad25d066ce6111e798427cba7f21526827f651", "name": "https://git.wikimedia.org/commit/mediawiki%2Fextensions%2FCheckUser.git/99ad25d066ce6111e798427cba7f21526827f651", "tags": ["Patch"], "refsource": "CONFIRM"}, {"url": "http://osvdb.org/96908", "name": "96908", "tags": ["Broken Link"], "refsource": "OSVDB"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86893", "name": "mediawiki-cve20134306-csrf(86893)", "tags": ["VDB Entry"], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Cross-site request forgery (CSRF) vulnerability in api/ApiQueryCheckUser.php in the CheckUser extension for MediaWiki, possibly Checkuser before 2.3, allows remote attackers to hijack the authentication of arbitrary users for requests that \"perform sensitive write actions\" via unspecified vectors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-352"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2013-4306", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2013-10-11T21:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "1.19.8", "versionStartIncluding": "1.19.0"}, {"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "1.20.7", "versionStartIncluding": "1.20.0"}, {"cpe23Uri": "cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "1.21.2", "versionStartIncluding": "1.21.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2019-07-18T12:27Z"}