CVE-2020-35626
HIGHMediaWiki < 1.35.1 - Cross-Site Request Forgery in PushToWatch Extension
Title source: llmDescription
An issue was discovered in the PushToWatch extension for MediaWiki through 1.35.1. The primary form did not implement an anti-CSRF token and therefore was completely vulnerable to CSRF attacks against onSkinAddFooterLinks in PushToWatch.php.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://phabricator.wikimedia.org/T268641
Patch, Third Party Advisory x_refsource_misc
https://gerrit.wikimedia.org/r/q/14dc79b1f44c2a1ca6b1192284206c7b8626fb57
Scores
CVSS v3
8.8
EPSS
0.0011
EPSS Percentile
28.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (1)
mediawiki/mediawiki
< 1.35.1
Published
Dec 21, 2020
Tracked Since
Feb 18, 2026