Description

An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly executed certain rules related to blocking accounts after account creation. Such rules would allow for user accounts to be created while blocking only the IP address used to create an account (and not the user account itself). Such rules could also be used by a nefarious, unprivileged user to catalog and enumerate any number of IP addresses related to these account creations.

Remediation

References

CVE-2021-31552

Related Vulnerabilities

MyBB Improper Input Validation Vulnerability (CVE-2016-9420)

Apache HTTP Server Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') Vulnerability (CVE-2023-25690)

WordPress Plugin Forminator-Contact Form, Payment Form & Custom Form Builder Cross-Site Scripting (1.29.2)

phpBB Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2008-7143)

WordPress Plugin Viral Quiz Maker-OnionBuzz SQL Injection (1.2.1)

Severity

Medium

Classification

CVE-2021-31552 CWE-668 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities