// For flags

CVE-2021-21275

CSRF in MediaWiki Report extension

Severity Score

4.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of MediaWiki edit tokens.

La extensión "Report" de MediaWiki presenta una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF). Antes de la versión corregida, no había protección contra las comprobaciones de CSRF en Special:Report, por lo que las peticiones para reportar una revisión podrían ser falsificadas. El problema ha sido corregido en el commit f828dc6 al hacer uso de los tokens de edición de MediaWiki

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-12-22 CVE Reserved
  • 2021-01-25 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-11-14 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Report Project
Search vendor "Report Project"
Report
Search vendor "Report Project" for product "Report"
< 2021-01-21
Search vendor "Report Project" for product "Report" and version " < 2021-01-21"
mediawiki
Affected
Oracle
Search vendor "Oracle"
Communications Cloud Native Core Network Slice Selection Function
Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function"
1.2.1
Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function" and version "1.2.1"
-
Affected
Oracle
Search vendor "Oracle"
Communications Pricing Design Center
Search vendor "Oracle" for product "Communications Pricing Design Center"
12.0.0.4.0
Search vendor "Oracle" for product "Communications Pricing Design Center" and version "12.0.0.4.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Pricing Design Center
Search vendor "Oracle" for product "Communications Pricing Design Center"
12.0.0.5.0
Search vendor "Oracle" for product "Communications Pricing Design Center" and version "12.0.0.5.0"
-
Affected