CVE-2021-21275
CSRF in MediaWiki Report extension
Severity Score
4.3
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of MediaWiki edit tokens.
La extensión "Report" de MediaWiki presenta una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF). Antes de la versión corregida, no había protección contra las comprobaciones de CSRF en Special:Report, por lo que las peticiones para reportar una revisión podrían ser falsificadas. El problema ha sido corregido en el commit f828dc6 al hacer uso de los tokens de edición de MediaWiki
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2020-12-22 CVE Reserved
- 2021-01-25 CVE Published
- 2023-09-01 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
https://www.oracle.com//security-alerts/cpujul2021.html | Third Party Advisory | |
https://www.oracle.com/security-alerts/cpuapr2022.html | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Report Project Search vendor "Report Project" | Report Search vendor "Report Project" for product "Report" | < 2021-01-21 Search vendor "Report Project" for product "Report" and version " < 2021-01-21" | mediawiki |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Network Slice Selection Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function" | 1.2.1 Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function" and version "1.2.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Pricing Design Center Search vendor "Oracle" for product "Communications Pricing Design Center" | 12.0.0.4.0 Search vendor "Oracle" for product "Communications Pricing Design Center" and version "12.0.0.4.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Pricing Design Center Search vendor "Oracle" for product "Communications Pricing Design Center" | 12.0.0.5.0 Search vendor "Oracle" for product "Communications Pricing Design Center" and version "12.0.0.5.0" | - |
Affected
|