CVE-2013-2032

Published: 18 November 2013

MediaWiki before 1.19.6 and 1.20.x before 1.20.5 does not allow extensions to prevent password changes without using both Special:PasswordReset and Special:ChangePassword, which allows remote attackers to bypass the intended restrictions of an extension that only implements one of these blocks.

Priority

Medium

Status

Package Release Status
mediawiki
Launchpad, Ubuntu, Debian
Upstream
Released (1.20.5, 1.19.6)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1:1.27.4-3)
Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [1:1.19.14+dfsg-1])
Patches:
Upstream: https://gerrit.wikimedia.org/r/61631
Upstream: https://gerrit.wikimedia.org/r/61641
Upstream: https://gerrit.wikimedia.org/r/61644