CVE-2021-35197
Gentoo Linux Security Advisory 202107-40
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented).
En MediaWiki versiones anteriores a 1.31.15, versiones 1.32.x hasta 1.35.x, versiones anteriores a 1.35.3, y versiones 1.36.x anteriores a 1.36.1, unos bots presentan determinados accesos a la API no deseados. Cuando una cuenta de bot presenta un "sitewide block" aplicado, es capaz de "purge" páginas mediante la API de acción de MediaWiki (lo que un "bloqueo del sitio" debería haber impedido)
Multiple security issues were found in MediaWiki, a website engine for collaborative work, which could result in cross-site scripting, denial of service and a bypass of restrictions in the "Replace Text" extension.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-06-22 CVE Reserved
- 2021-07-02 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-863: Incorrect Authorization
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2021/10/msg00003.html | Mailing List |
|
| https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce%40lists.wikimedia.org/thread/YR3X4L2CPSEJVSY543AWEO65TD6APXHP | X_refsource_confirm |
| URL | Date | SRC |
|---|---|---|
| https://phabricator.wikimedia.org/T280226 | 2024-08-04 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Mediawiki Search vendor "Mediawiki" | Mediawiki Search vendor "Mediawiki" for product "Mediawiki" | < 1.31.15 Search vendor "Mediawiki" for product "Mediawiki" and version " < 1.31.15" | - |
Affected
| ||||||
| Mediawiki Search vendor "Mediawiki" | Mediawiki Search vendor "Mediawiki" for product "Mediawiki" | >= 1.32.0 < 1.35.3 Search vendor "Mediawiki" for product "Mediawiki" and version " >= 1.32.0 < 1.35.3" | - |
Affected
| ||||||
| Mediawiki Search vendor "Mediawiki" | Mediawiki Search vendor "Mediawiki" for product "Mediawiki" | >= 1.36.0 < 1.36.1 Search vendor "Mediawiki" for product "Mediawiki" and version " >= 1.36.0 < 1.36.1" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 34 Search vendor "Fedoraproject" for product "Fedora" and version "34" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||