CVE-2013-4572

Published: 06 February 2020

The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
mediawiki
Launchpad, Ubuntu, Debian
Upstream
Released (1:1.19.8+dfsg-2.2)
Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [1:1.19.11+dfsg-1])
Patches:
Upstream: https://gerrit.wikimedia.org/r/#/c/107303/