CVE-2020-35623

HIGH

MediaWiki <1.35.1 - Privilege Escalation

Title source: llm
STIX 2.1

Description

An issue was discovered in the CasAuth extension for MediaWiki through 1.35.1. Due to improper username validation, it allowed user impersonation with trivial manipulations of certain characters within a given username. An ordinary user may be able to login as a "bureaucrat user" who has a similar username, as demonstrated by usernames that differ only in (1) bidirectional override symbols or (2) blank space.

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://phabricator.wikimedia.org/T263498
Patch, Third Party Advisory x_refsource_misc
https://github.com/CWRUChielLab/CASAuth/pull/11

Scores

CVSS v3 7.5
EPSS 0.0108
EPSS Percentile 60.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-20 CWE-706
Status published
Products (1)
mediawiki/mediawiki < 1.35.1
Published Dec 21, 2020
Tracked Since Feb 18, 2026