Description

An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly executed certain rules related to blocking accounts after account creation. Such rules would allow for user accounts to be created while blocking only the IP address used to create an account (and not the user account itself). Such rules could also be used by a nefarious, unprivileged user to catalog and enumerate any number of IP addresses related to these account creations.

Remediation

References

CVE-2021-31552

Related Vulnerabilities

WordPress Plugin Mingle Forum Multiple Cross-Site Request Forgery Vulnerabilities (1.0.34)

WordPress Plugin Adminer Multiple Cross-Site Scripting Vulnerabilities (1.4.3)

WordPress Plugin Spam Free WordPress Security Bypass (1.9.2)

PrestaShop Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2018-19126)

Apache HTTP Server Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2012-3499)

Severity

Medium

Classification

CVE-2021-31552 CWE-668 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities