CVE-2020-35625
HIGHMediaWiki < 1.35.1 - Unauthenticated Arbitrary Static Function Execution via Widgets Extension HTML Comment
Title source: llmDescription
An issue was discovered in the Widgets extension for MediaWiki through 1.35.1. Any user with the ability to edit pages within the Widgets namespace could call any static function within any class (defined within PHP or MediaWiki) via a crafted HTML comment, related to a Smarty template. For example, a person in the Widget Editors group could use \MediaWiki\Shell\Shell::command within a comment.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://phabricator.wikimedia.org/T269718
Third Party Advisory x_refsource_misc
https://gerrit.wikimedia.org/r/q/Ic899a8b15bc510e61cdacb5c024af2d226a2dbeb
Scores
CVSS v3
8.8
EPSS
0.0023
EPSS Percentile
45.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-862
Status
published
Products (1)
mediawiki/mediawiki
< 1.35.1
Published
Dec 21, 2020
Tracked Since
Feb 18, 2026