Description
MediaWiki before 1.15.3, and 1.6.x before 1.16.0beta2, does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to conduct phishing attacks by arranging for a victim to login to the attacker's account and then execute a crafted user script, related to a "login CSRF" issue.
References (11)
Core 11
Core References
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2010/1055
Various Sources x_refsource_confirm
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_0beta2/phase3/RELEASE-NOTES
Various Sources x_refsource_confirm
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_3/phase3/RELEASE-NOTES
Patch x_refsource_confirm
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0beta2.patch.gz
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2010/04/08/4
Patch x_refsource_confirm
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.3.patch.gz
Exploit x_refsource_confirm
https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
Patch, Vendor Advisory mailing-list
x_refsource_mlist
http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2010/04/07/1
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=580418
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2010/dsa-2041
Scores
EPSS
0.0041
EPSS Percentile
61.6%
Details
CWE
CWE-352
Status
published
Products (44)
mediawiki/mediawiki
1.6.0
mediawiki/mediawiki
1.6.1
mediawiki/mediawiki
1.6.2
mediawiki/mediawiki
1.6.3
mediawiki/mediawiki
1.6.4
mediawiki/mediawiki
1.6.5
mediawiki/mediawiki
1.6.6
mediawiki/mediawiki
1.6.7
mediawiki/mediawiki
1.6.8
mediawiki/mediawiki
1.6.9
... and 34 more
Published
Apr 20, 2010
Tracked Since
Feb 18, 2026